Azure Boot Camp 21.04.2018 SQL Server in Azure Iaas PaaS on-prem Lars Platzdasch
1. SQL Server in Azure IaaS,
Paas, on-Prem
Planning and Business Continuity
or more like
Take the Red or the Blue Pill
Lars Platzdasch
MCT,MCSE SQL, MCSE SharePoint
3. About the Audience
• DBAs
• Developers
• SQL AlwaysOn Availability Groups
Experience?
• System Administrators
• Azure Lovers ;-)
• and …
4. The Plan
1. High Level Comparison to SQL Server
2. Most Important Slide about the differences
3. Drill into random interesting capabilities
4. Securing
5. Some demos
6. Tips for Iaas
6. Azure SQL DB is SQL Server Except…
Common SQL Server
“Just change the
connection
string…”
https://azure.microsoft.com/en-us/documentation/articles/sql-database-transact-sql-information/
Additional information on Differences:
Azure SQL DB
7. Demos
• Demo: Meet the Portal (portal.azure.com)
• Demo: Create a SQL Database
.
8. What’s the Same
1. Team
2. Core Code Base
3. Transact-SQL
▪ Yes, full support
▪ https://feedback.azure.com/
4. Most of the features
5. Mature
.
9. What’s Missing (or is it?) in Azure SQL DB
Category 1: Takes a Different Approach
▪ Example: SQL Agent
Category 2: On the way
▪ Network Support
▪ But in the works…
Category 3: No plan (?)
https://feedback.azure.com/
.
10. You access a DB
DB is fully managed: High Availability, Backups,
Patching
Runs latest SQL Server version, based on Enterprise ed.
New paradigm of databases and modern app
building
Different DB sizes: Basic (2GB, 5DTUs) to Premium
(1TB, 4000DTUs
DB availability SLA: 99.99% 4000DTUs .. Premium)
Azure SQL Database SQL Server in Azure VM
You access a VM with SQL Server
You manage SQL Server and Windows: High
Availability, Backups, Patching (automation
available)
You can run any SQL Server version and edition
Full on-premises compatibility
Different VM sizes: A0 (1 core, 1GB mem, 100GB)
to G5 ( .. )
VM availability SLA: 99.95%: In practice SQL
AlwaysOn provides higher availability (~99.99%)
Reuse on-premises infrastructure (e.g. Active
Directory)
Differences :
11. SQL Server View on ‘Managed’
Azure SQL Database
Low Control | Low Maintenance
Shared
Lowercost
Dedicated
Highercost
High Control | High Maintenance
Hybrid
Physical
Virtual
PaaS
SaaS
IaaS
On premises
Off premises
SQL Server
Physical Machines
SQL Server Private Cloud
Virtualized Machines
SQL Server in Azure VM
Virtualized Machines
Virtualized Databases
Cloud
12. Manageability ( Azure SQL DB )
1. Server Management so easy - not available!
▪ You control schema, indexes, users, etc. as usual
▪ PaaS model
2. 99.95% uptime SLA (one instance)
3. Geo-DR/FO/BC (Active/Passive)
4. Geo-Replication (Active/Active RO)
5. Backups, PiTR
.
14. Data Throughput Unit
▪ http://dtucalculator.azurewebsites.net/
▪ Demo: DTU definition
https://azure.microsoft.com/en-
us/documentation/articles/sql-database-service-
tiers/#understanding-dtus
15. SQL / Space / DTU
Pools
Geo Repl
Pricing ( Azure DB )
16. Pricing in Tiers and Pools
▪ Demo: Pricing options
https://azure.microsoft.com/en-us/pricing/
▪ https://azure.microsoft.com/en-
us/documentation/articles/sql-database-
service-tiers/
17. Securing SQL Azure
“[Cloud security] is a shared
responsibility between the customer
and the cloud vendor.”
Mark Russinovich, Microsoft Azure CTO
https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume-
breach-an-inside-look-at-cloud-service-provider-security.pdf
18. A Cautionary Tale: Code SpaceS
1. DDoS
2. Ransom demand
3. Security breach noticed
4. Fighting back
5. Malicious destruction
of assets
6. Security & Business #fail
“Code Spaces has a
full recovery plan that
has been proven to
work and is, in fact,
practiced.”
Data plane (data access)
vs. mgmt/control
plane (Portal, APIs,
PowerShell)ELAPSEDTIME:
12HOURShttp://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/
19. Risk Mitigation
Internet Exposed RDP or SSH Endpoints Network ACLs or Host-based Firewall; Strong passwords; VPN or SSH
Tunnels
Virtual Machine Missing Security Patches Keep Automatic Updates Enabled;
Web Application Vulnerability Securing Azure Web Applications; Vulnerability scan/penetration test
Weak Admin/Co-Admin Credentials Azure Multi-Factor Authentication; Subscription Management Certificate
Unrestricted SQL Endpoint Azure SQL Firewall
Storage Key Disclosure Manage Access to Storage Resources
Insufficient Security Monitoring Azure Security and Log Management;
Top Azure Risks Leading to Tenant
Breach
https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume-
breach-an-inside-look-at-cloud-service-provider-security.pdf
20. SSO for Built-In Services
Use same AAD where makes sense across
• Azure
• Office 365
• Visual Studio Team Services
• Windows 10 (Intune)
• Azure SQL Database (!)
21. Prefer RBAC to Co-Admin
• Co-Admin only option on Classic Portal
• RBAC only available on portal.azure.com
• New portal support not 100%
• https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-
roles/
• https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-
configure/
RBAC : Role Based Access Control ( IAM )
28. Some Best Practices (Azure Iaas)
• Start the deployment with Lower Specification.
• Use DS Series VMs and User Premium storage for higher
throughput
• Disable geo-redundant storage on the storage accounts.
• Enable read caching on the disks hosting the data files and
TempDB.
• Disable caching on the logs disk.
• Strip multiple disks to achieve higher IOPs.
• Move all databases to separate disks. (Not in OS disks)
• Disable autogrow
• Enable instant file initialization for data files.