Security Guidelines for SQL
Azure
Author
Dinakar Nethi
Contributor
Michael Thomassy, Dustin Fraser
Technical Reviewers
Tony Petrossian
Published
May 2010
Summary
SQL Azure Database is a cloud database service from Microsoft. SQL Azure provides Web-facing
database functionality as a utility service. Cloud-based database solutions such as SQL Azure can
provide many benefits, including rapid provisioning, cost-effective scalability, high availability,
and reduced management overhead. This document provides an overview of security guidelines
for customers who connect to SQL Azure Database, and who build secure applications on SQL
Azure.
Copyright
This is a preliminary document and may be changed substantially prior to final commercial
release of the software described herein.
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in, or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, ADO.NET Data Services, Cloud Services, Live Services, .NET Services, SharePoint
Services, SQL Azure, SQL Azure Database, SQL Server, SQL Server Express, Sync Framework,
Visual Studio, Windows Live, and Windows Server are trademarks of the Microsoft
group of companies.
All other trademarks are property of their respective owners.
2
This document provides basic requirements for both server-side as well as client-side settings to
enable connectivity to Microsoft SQL Azure.
The Tabular Data Stream protocol is used by all SQL Server and SQL Azure tools and client
libraries to connect to the server. The SQL Azure service is only accessible through the default
port of TCP/1433 used by the TDS protocol. Customers need to configure their environment to
allow outbound TCP connections over port TCP/1433 to enable applications and tools to
connect to SQL Azure.
Connecting to Microsoft SQL Azure involves multiple steps:







The networks must allow computers that need to connect to SQL Azure to establish
outbound connections on port 1433. Usually, customer sites disallow outgoing TCP/1433
connections by default; however, consuming the SQL Azure service requires customer to
allow outgoing connections to the SQL Azure service IP addresses. Network firewall and
other security devices may prevent computers on the customer networks from
establishing outbound connection to SQL Azure. Inbound connections are not required
or recommended.
Proxy servers may need to be adjusted to allow the outbound TDS protocol over port
1433. Client-side proxy software such as Microsoft ISA client may be needed to allow
client computers to use proxy servers for outbound connections.
Use the SQL Azure portal to configure SQL Azure firewall settings to allow connections
from your computer(s) and/or Windows Azure. More details on configuring the firewall
can be found here – How to configure firewall and SQL Azure firewall
Always use the loginname@Servername format for the login since certain tools
implement
TDS
differently.
For
example,
if
your
server
name
is
mv2abek9r7.database.windows.net and your administrator login is testsa, use
testsa@mv2abek9r7 as the login.
Create appropriate logins on your SQL Azure server. After the SQL Azure server has been
provisioned, create the administrator user that has admin privileges on the server,
connect to your master database on your SQL Azure server via SQL Server Management
Studio R2, and use the CREATE LOGIN scripts to create users and roles. More detailed
information on managing logins is available at Managing databases and logins in SQL
Azure
Developers and database users can now use the logins created above to connect to SQL
Azure.
Optional: If you have on-premises SQL Servers that need to communicate with SQL
Azure for data synchronizations or other reasons you must ensure that your servers have
an internet routable IPs.
Allowing outbound traffic for TCP/1433 to the SQL Azure Virtual IP for each location is sufficient
for connecting to SQL Azure.
3
Customers may also need to explicitly allow return traffic from Microsoft’s VIP back into their
network, depending on how strict their policies are. In other words, if a customer allows
outbound TCP/1433 traffic to SQL Azure IPs, they also need to allow the return traffic coming
from SQL Azure IPs (source port of TCP/1433) back into their network. Some networks allow all
return traffic for any connection initiated internally, but other more restrictive networks also
restrict return traffic to explicit access control lists. The use of the “established” tag for outbound
ACLs, such as in the examples below, will return traffic for customer sites to connections
established within the customer site. In other words, traffic will not be allowed unless the
connections are initiated within the customer site.
“Outbound” and “inbound” refers to direction of traffic with reference to the router.
Inbound ACL (outgoing traffic): permit tcp any gt 1023 host <SQL Azure IP> 1433
Outbound ACL (return traffic):
permit tcp host <SQL Azure IP> 1433 any gt 1023
established
It may be more convenient for customers to allow TCP/1433 connections to the range of
Microsoft’s public network addresses instead of a specific SQL Azure location. This will allow for
greater flexibility; as SQL Azure adds more locations, the need to revisit customer access control
lists will be reduced.
For example, the TDS endpoint for the SQL Azure North Central US data center is data.ch11.database.windows.net, with an IP address of 207.46.203.22. Performing a lookup of
http://ws.arin.net/whois/?queryinput=207.46.203.22 reveals Microsoft’s entire scope for this IP is
207.46.0.0/16.
The following is an example ACL setting to allow connections to the entire range of possible IP
addresses for Microsoft SQL Azure Service.
Inbound ACL (outgoing traffic): permit tcp any gt 1023 207.46.0.0 0.0.255.255 eq 1433
Outbound ACL (return traffic): permit tcp 207.46.0.0 0.0.255.255 eq 1433 any gt 1023
established
4
Other guidelines:




5
When connecting to SQL Azure, use the most current version of tools and libraries for
best experience
Configure your firewall to allow connections only to specific IP addresses.
Prevent SQL injection vulnerabilities by using parameterized queries.
SQL Azure server is just a logical grouping of databases. It is not a physical SQL Server.
Hence creating multiple servers will not provide any performance benefit. You can create
multiple servers if you want to group sets of databases into logical unit(s) or if you want
to have a separate billing for certain database(s).
References:
6





SQL Azure Firewall
Managing Databases and Logins in SQL Azure
How to Configure SQL Azure Firewall
Troubleshooting SQL Azure
SQL Azure Portal

SQL Azure Developer Center

SQL Azure Team Blog