Allow only encrypted connection to Azure SQL Server

Jan Vávra 446

Hello,
is there a setup on Azure Sql Server thath permits only enrypted connection ?
I was horrified to find out my SSMS is using an unecrypted connection from my laptop to azure because the checkbox value is remembered from previous connection to a local sql server.

Is it a good practice to connect to Azure Sql Server via the Internet with only source ips restricted ?
I've tried a ssh tunnels through a Linux VM in azure but it is not working.
Should I rather setup a VPN server on a VM machine ? Do you recommend any VPN server software on Linux that would be connected from Windows desktops ?

Is there a best practice documentation pointing this issue? Eg. Use only Virtual Private Network to connect to Azure SQL and VPN.

Jan.

Anurag Sharma 17,636 Reputation points

2020-12-29T07:38:18.67+00:00

@Jan Vávra , please let us know if the answers helped you or you need more information on the same. if they helped you can mark them as 'Accept Answer'.

Answer accepted by question author

Alberto Morillo 35,406 Reputation points MVP Volunteer Moderator

2020-12-29T15:06:45.617+00:00
All connections coming from SSMS to Azure SQL are encrypted even if the you don't set "Encrypt connection" setting on. Azuire SQL Database only allows encrypted connections.

When a client first attempts a connection to SQL Azure, it sends an initial connection request. Consider this a "pre-pre-connection" request. At this point the client does not know if SSL/Encryption is required and waits an answer from SQL Server/SQL Azure to determine if SSL is indeed required throughout the session (not just the login sequence, the entire connection session). A bit is set on the response indicating so. Then the client library disconnects and reconnects armed with this information.

When you set "Encrypt connection" setting on SSMS you avoid the "pre-pre-connection", you are preventing any proxy from turning off the encryption bit on the client side of the proxy, this way attacks like man-in-the-middle attack are avoided.

When secure connections are needed, please enable "Encrypt connection" setting.

You can run the following command to verify all connections to Azure SQL are encrypted:

select * from sys.dm_exec_connections.
Please sign in to rate this answer.

2 people found this answer helpful.
Poul Christensen 21 Reputation points

2021-10-06T05:49:10.1+00:00

How come I have these then?

I'm not sure where these <name-pipes> connections come from in thie Azure SQL server setup. All connections comming from an IP adress is encrypted.
Maybe from app services using private link on "local" subnets?

The column with TRUE/FALSE is the encrypt_option

David Browne - msft 3,851 Reputation points

2021-10-06T17:04:41.88+00:00

I see them too. NTLM connections over Named Pipes connected to Master. The original_login_name for them is NT AUTHORITY\SYSTEM or DB31\WF-WOWTAjpVw9Z2HnB Azure SQL Database does not support client connections using either of those options, so these connections are originating on the server hosting the SQL Server instance.

So probably Azure-specific monitoring and management agents.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer

Share via

Allow only encrypted connection to Azure SQL Server

5 additional answers

Your answer