At our IT Camp in Saint Louis a few weeks ago, Todd had a great question on protecting his cloud-based SQL Server:
Not sure this question was asked at the Azure IT boot camp but is there any future plans to segregate or ACL off the subnets in Azure? Most of our web front ends are in our DMZ, in a lower security zone, and our SQL servers are in a higher protected zone. The ACL allows communication between the two but I did not see that in the Azure portal. So as it stands I could stand up a WFE and it could be talking directly to the SQL server and get compromised?
Is it the position of Microsoft to use Windows firewall between the servers?
I didn’t cover it in too much detail in our event, and it’s not something that is (yet) exposed in the Windows Azure Portal, but you do have the ability through PowerShell to assign complex network ACLs to a Windows Azure virtual machine.
From the article “About Network Access Control Lists (ACLs)”:
Using Network ACLs, you can do the following:
- Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint.
- Blacklist IP addresses
- Create multiple rules per virtual machine endpoint
- Specify up to 50 ACL rules per virtual machine endpoint
- Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
- Specify an ACL for a specific remote subnet IPv4 address.
The most simple example of an ACL is the fact that a VM created running Windows likely has a public endpoint that maps to a private 3389 endpoint for the sake of remote desktop connections. Without that endpoint definition, the default is to just block everything. As you see from the previous list, we can be even more selective than just opening or closing ports.
For the complete description of what ACLs are, read “About Network Access Control Lists (ACLs)”:
To learn how to manage and use them in Windows Azure, read “Managing Access Control Lists (ACLs) for Endpoints”