none
SQL server Advanced Data Security (ADS) and Storage Account RRS feed

  • Question

  • Hi, I am trying to follow all the rules in the "Regulatory compliance" section of the Security Center but I found a conflict between rules that I can't solve.

    As asked by (I don't remember which rules) I turned on the "Advanced Data Security" feature on my Azure SQL Server. This tool needs a Storage Account, so I created a new Azure Storage Account to store the blobs.

    Now the problem: the Security Center says that I need to "Restict access to storage accounts with firewall and vitual network configurations" but I can't do it because "Advanced Data Security" doesn't work with Storage Accounts behind firewalls (and this is not a trusted Microsoft service).

    This way I can't accomplish the ISO 27001 and the Azure CIS 1.1.0 standards.

    Any idea on how to solve this? Thanks in advance.

    Tuesday, June 11, 2019 1:44 PM

Answers

  • This scenario is unfortunately not yet supported and enabling SQL Vulnerability Assessment is not possible behind storage firewall.  This feature is currently in development but no ETA has been made available.  You need to do either of these - 

    1) Give up on Storage Firewall protection (and disable the recommendation in the security policy to prevent it showing up) 
    or
    2) Give up on SQL VA.

    Tuesday, June 11, 2019 10:57 PM
    Moderator

All replies

  • This scenario is unfortunately not yet supported and enabling SQL Vulnerability Assessment is not possible behind storage firewall.  This feature is currently in development but no ETA has been made available.  You need to do either of these - 

    1) Give up on Storage Firewall protection (and disable the recommendation in the security policy to prevent it showing up) 
    or
    2) Give up on SQL VA.

    Tuesday, June 11, 2019 10:57 PM
    Moderator
  • Thanks for the answer.

    As a reference for the readers, I think that give up on SQL VA is not an option.

    My way to approach the problem was to create a new Storage Account dedicated ONLY to store the blobs for SQL VA. Secure that Storage with HTTPS only, Encryption, RBAC strict rules and so on... and I left it without a firewall (allow access from "All networks"). As I will ONLY store the blobs related to the SQL VA, I think that it is enough secure (at least for my purpose).

    After than that, I edited the "Policy - Assignments" (the ones interested) to exclude that specific Storage Account.

    And that's it.

    Wednesday, June 12, 2019 8:19 AM