Share via

Azure SQL Database Active geo-replication between 2 different tenant

Hatem MAHBOULI (EXT) 20 Reputation points
2024-02-08T10:02:58.1333333+00:00

In the case of an active geo-replication database of Azure SQL Databse on 2 differebt tenants (A and B) not having the same owner, what measures should be taken into consideration to avoid an intrusion from tenant A to tenant B? Is there any hardening/configuration to consider?

Azure SQL Database
0 comments
Accepted answer
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-02-15T06:56:20.46+00:00

    Hello @Hatem MAHBOULI (EXT) For an elaborated response to your request. When setting up active geo-replication between two different tenants in Azure SQL Database, there are several security measures and configurations to consider preventing unauthorized access:

    1. Authentication and Access Control: Azure SQL Database supports SQL authentication and Microsoft Entra ID (formerly Azure Active Directory) authentication1. It’s important to manage databases and servers within Azure using your portal user account’s role assignments.
    2. Contained Users: Unlike traditional users, which must be mapped to logins in the master database, a contained user is managed completely by the database itself2. This means users can continue to connect to the new primary database or the database recovered using geo-restore without any additional configuration.
    3. Firewall Rules: Azure SQL Database provides a firewall that enables you to create rules limiting connectivity by IP address1. You can set up server-level firewall rules accessible from the Azure portal and database-level firewall rules accessible from SSMS.
    4. Data Encryption: Azure SQL Database supports Transport Layer Security for data encryption when data is moving to the networks3. It also supports Transparent Data Encryption for encryption at rest.
    5. Auditing and Threat Detection: Azure SQL Database auditing tracks database events and writes them to an audit log in your Azure Storage account3. Threat detection detects anomalous database activities indicating potential security threats to the database.
    6. Managed Service Identities: The best way to lock down your SQL Database is with AAD Integration, and Managed Service Identities4. Azure will provision an AAD identity for your application, and only code running in that application will be able to generate an Access Token for that Identity4.

    Remember, it’s crucial to grant users the least privileges necessary and regularly review and update your security configurations. For more detailed information, you can refer to the Azure SQL Database Security Overview and the Azure Database Security Checklist. If this information provided here helps solve your issue, please tag this as answered, so it helps further community readers, who may have similar questions.

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2024-02-14T22:07:17.56+00:00

    @Hatem MAHBOULI (EXT) Thank you for getting back and apologies for the brevity of my previous response.

    SQL DB Geo replication always uses Azure backbone network. Ensuring both efficiency and security.

    When using geo-replication (such as active geo-replication), data synchronization between primary and secondary databases also occurs over the Azure backbone.

    This ensures that data remains secure during replication across regions.

    In summary, Azure ensures that data transfer between databases occurs securely over its backbone network, minimizing exposure to the public internet. Your data remains protected during transmission.

    I was able to verify this internally and the official documentation is correct. Creating a geo-replica on a logical server in a different Azure tenant is supported. https://learn.microsoft.com/en-us/azure/azure-sql/database/active-geo-replication-overview?view=azuresql#cross-subscription-geo-replication Hope that helps.

    Please do let me know if you have additional queries or need more clarification. Will be glad to assist you.

    Regards,

    Oury

    1 person found this answer helpful.
  2. Alberto Morillo 34,671 Reputation points MVP Volunteer Moderator
    2024-02-08T10:41:09.6466667+00:00

    Creating a geo-replica on a logical server in a different Azure tenant is not supported as you can read on this support article. In this scenario, you should consider using Azure SQL Data Sync instead.

  3. Hatem MAHBOULI (EXT) 20 Reputation points
    2024-02-14T09:46:16.3533333+00:00

    Thank you Oury for reaching out :) I was expecting a more elaborate answer about the security aspect of the Geo-replication between two different tenant. I was wondering if the data transfer between the databases is performed through the internet or on the Azure backbone for more security ? Thank you

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.