Security Considerations for SQL Server in Azure Virtual Machines
This topic includes overall security guidelines that help establish secure access to SQL Server instances in an Azure VM. However, in order to ensure better protection to your SQL Server database instances in Azure, we recommend that you implement the traditional on-premises security practices in addition to the security best practices for Azure.
Azure has two different deployment models for creating and working with resources: Resource Manager and classic. This article covers using the classic deployment model. Microsoft recommends that most new deployments use the Resource Manager model.
For more information about the SQL Server security practices, see SQL Server 2008 R2 Security Best Practices - Operational and Administrative Tasks
Azure complies with several industry regulations and standards that can enable you to build a compliant solution with SQL Server running in a Virtual Machine. For information about regulatory compliance with Azure, see Azure Trust Center.
Following is a list of security recommendations that should be considered when configuring and connecting to the instance of SQL Server in an Azure VM.
Create a unique local administrator account that is not named Administrator.
Use complex strong passwords for all your accounts. For more information about how to create a strong password, see Tips for creating a strong passwords article .
By default, Azure selects Windows Authentication during SQL Server Virtual Machine setup. Therefore, the SA login is disabled and a password is assigned by setup. We recommend that the SA login should be not be used or enabled. The following are alternative strategies if a SQL Login is desired:
- Create a SQL account that has sysadmin membership.
- If you must use a SA login, enable the login and rename it and assign a new password.
- Both the options that were mentioned earlier require a change the authentication mode to SQL Server and Windows Authentication Mode. For more information, see Change Server Authentication Mode.
Consider using Azure Virtual Network to administer the virtual machines instead of public RDP ports.
Use a Network Security Group (NSG) to allow or deny network traffic to your virtual machine. If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. For information about how to do this, see Managing Access Control Lists (ACLs) for Endpoints by using PowerShell.
If you are using endpoints, remove any endpoints on the virtual machine if you do not use them. For instructions on using ACLs with endpoints, see Manage the ACL on an endpoint.
Enable an encrypted connection option for an instance of the SQL Server Database Engine in Azure Virtual Machines. Configure SQL server instance with a signed certificate. For more information, see Enable Encrypted Connections to the Database Engine and Connection String Syntax.
If your virtual machines should be accessed only from a specific network, use Windows Firewall to restrict access to certain IP addresses or network subnets.
If you are also interested in best practices around performance, see Performance Best Practices for SQL Server in Azure Virtual Machines.
For other topics related to running SQL Server in Azure VMs, see SQL Server on Azure Virtual Machines overview.