course title · web viewplay with the sliders to understand how sql azure automatically...
TRANSCRIPT
Fast Start for Microsoft Azure - SQL Server IaaS Workshop Section 6 Provision and Manage SQL Server Azure VM
Student Lab Manual
Version 1.0
© 2015 Microsoft Corporation
Conditions and Terms of UseThe contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2015 Microsoft Corporation. All rights reserved.
© 2015 Microsoft Corporation
Copyright and Trademarks
© 2015 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content athttps://www.microsoft.com/en-in/legal/Copyright/Default.aspx
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
© 2015 Microsoft Corporation
<Lab title> 5
Contents
LAB 1: SQL SERVER DEPLOYMENT USING ARM MODEL..................................................................................
EXERCISE 1: DEPLOY SQL SERVER AZURE VM FROM TEMPLATE.............................................................................6
LAB 2: CONNECT TO SQL SERVER IAAS INSTANCE FROM PUBLIC INTERNET..................................................
CONFIGURE THE FIREWALL.............................................................................................................................15CREATE A SQL LOGIN TEST WITH SYSADMIN RIGHTS...........................................................................................15CONFIGURE NETWORK SECURITY GROUP INBOUND RULE FOR VM........................................................................15CONFIGURE A DNS LABEL FOR THE PUBLIC IP ADDRESS.......................................................................................17
CONFIGURE TDE USING AZURE VAULT........................................................................................................
INSTALL AZURE POWERSHELL ON WORKSTATION................................................................................................18CREATE AN AZURE VAULT AND KEY.................................................................................................................18CREATE AN APPLICATION IN AZURE AD AND CONFIGURE THE CLIENTID..................................................................19MAP THE CLIENT WITH THE VAULT..................................................................................................................19INSTALL AND ENABLE EKM............................................................................................................................19CONFIGURE TRANSPARENT DATA ENCRYPTION USING TDE..................................................................................20
© 2015 Microsoft Corporation
6 FastStart SQL Server Azure VM – Deploy and Manager RM VM
Lab 1: SQL Server Deployment using ARM Model Introduction
This lab provides guidance on how to perform how to provision an Azure virtual machine in the portal using Azure Resource Manager model and configure SQL Server from a template in the Azure gallery.
Objectives
After completing this lab, you will be able to:
Deploy SQL Server VM using ARM Model
Estimated time to complete this lab
45 minutes
Exercise 1: Deploy SQL Server Azure VM from Template
Objectives
In this exercise, a SQL Server VM from the Azure gallery using the latest ARM model.
Task 1: Create Azure Microsoft Storage Objects1. Access the Microsoft Azure portal
(http://portal.azure.com)
Log in to the Microsoft Azure Management Portal using your account. If you do not have a Microsoft Azure account, visit Microsoft Azure 3-Month free trial.
2. The next step is to spin a new Azure Virtual Machine There are various template that is available in marketplace. You can use one of the templates from the gallery and build the SQL Server VM.
Go to New Compute and Select SQL Server 2014 Enteprise Edition on Windows Server 2012 R2.
© 2015 Microsoft Corporation
<Lab title> 7
Ensure that Resouce Manager is selected under the Select a deployment model section and click create.
3. In the portal, there are several confirguration options as show in the image below.The option are related to size, type , server and SQL Server configutaion.
© 2015 Microsoft Corporation
8 FastStart SQL Server Azure VM – Deploy and Manager RM VM
4. The first option is basic and it has few mandatory fields. The following configuration paramaters that can passed are
Name : A unique server\VM name. Let’s name the server TestVM User Name: Enter Testadmin in the Username section. This will be a
administrator account in the VM Password : A strong password for authentication for the admin account Subscription : The azure subscription that will be used for this VM. The
billing and charges will be applied to this subscription. Note: One account can have multiple subscription
Resource Group: Provide the resource group name as TESTRG1.You can specify a resource group name or use an existing one.Resource group is a collection of related services in Azure.
Location : The region or data center that will host the VM. Select the location that is closet to your region.
© 2015 Microsoft Corporation
<Lab title> 9
5. Under Size, choose a virtual machine size. The Azure portal will display recommended sizes. You can select “View All” to choose a VM size apart from the recommended sizes.
© 2015 Microsoft Corporation
10 FastStart SQL Server Azure VM – Deploy and Manager RM VM
The portal displays the capacity of each of the listed VM such as CPU, Memory etc., features that are supported and estimates the monthly cost to run the VM. Select “View All” and choose DS2 size.
6. On the Create Virtual Machine blade under Settings, configure Azure storage, networking and monitoring for the virtual machine.
Storage: Specify a disk type. Premium storage is recommended for production workloads. So, go ahead and select Premium
Storage account: You can either accept the automatically provisioned storage account name, or you can click on Storage account to choose an existing account and configure the storage account type.
In this lab, provide a unique storage account name.
By default, Azure creates a new storage account with locally redundant storage and it maintains three copy in the local site. It is recommended to name the storage account that can be identifiable
Network: Use the default values provided by Azure
You can accept the automatically populated values for features or click on each feature to configure the Virtual network, Subnet, Public IP address, and Network Security Group.
Monitoring: Azure enables monitoring by default with the same storage account designated for the VM. Currently, the monitoring data can be stored in standard storage only.
© 2015 Microsoft Corporation
<Lab title> 11
Continue with a new storage account that is provided in the portal.
Availability set specify an availability set. In this lab, we will set to none.
7. Configure SQL Server SQL Connectivity: Choose the option Private (within Virtual Network)
There are three possible options to configure SQL ConnectivityPublic: Specify Public (internet) to allow connections to SQL Server from machines or services on the internet. Local (inside VM only): To allow connections to SQL Server only from within the VM. Private (within Virtual Network) to allow connections to SQL Server from machines or services in the same virtual network.
For SQL Server, usually the application \web server will connect to the SQL Server and it is not directly connected to the internet.
Port: Continue with the default 1433. Authentication:
The azure VM is configured with windows authentication only. You can enable SQL Authentication and provide a SQL Login and its password that will be created with sysadmin rights. Click Enabled and it will automatically populate the same user name and password that was provided in the Basic section.
© 2015 Microsoft Corporation
12 FastStart SQL Server Azure VM – Deploy and Manager RM VM
Storage Configuration Select your desired performance, storage size, and workload to optimize the storage on your virtual machine.
Select the default Azure optimizes the storage for 5000 IOPs, 200 MBs, and 1 TB of storage space.
Play with the sliders to understand how SQL Azure automatically dynamically calculates the values related to IOPS, Throughput and size.
Under Storage optimized for, select Select Transactional workload
General is the default setting and supports most workloads.
Transactional processing optimizes the storage for traditional database OLTP workloads.
Data warehousing optimizes the storage for analytic and reporting workloads.
© 2015 Microsoft Corporation
<Lab title> 13
Patching
SQL automated patching is enabled by default.
Automated patching allows Azure to automatically patch SQL Server and the operating system. Specify a day of the week, time, and duration for a maintenance window. Azure will perform patching in the maintenance window. The maintenance window schedule uses the VM locale for time.
Backup:
Enable automatic database backups for all databases under SQL automated backup.
Set the backup retention to 7 days and rest to default.
Key Vault Integration
© 2015 Microsoft Corporation
14 FastStart SQL Server Azure VM – Deploy and Manager RM VM
To store security secrets in Azure for encryption. select disable for now.
8. Review the settings and click OK to create the VM.
It will take around around 15 minutes to create the Azure VM using the Resouce Model. Once the VM is created. You can connect using RDP to the Azure VM
© 2015 Microsoft Corporation
<Lab title> 15
Lab 2: Connect to SQL Server IaaS instance from public internet Configure the firewall
Open windows firewall (wf.msc) Create an inbound windows firewall rule and allow 1433 port access
Click on Inbound Rules New RuleSelect the following settings
Rule Type = PortProtocol and Ports: Protocol = TCP and Specific Local Port = 1433Action = Allow the ConnectionProfile = Domain, Public, PrivateName = SQLServer
Create a SQL Login Test with sysadmin rights
Configure Network Security Group inbound rule for VM
In the portal, select Virtual machines, and then select the SQL Server VM.
Click the All settings link. Expand Network interfaces. Then select the Network Interface for VM.
Select the network
© 2015 Microsoft Corporation
16 FastStart SQL Server Azure VM – Deploy and Manager RM VM
Select Network Security Group select Settings Inbound Security rules
Add Inbound security rule
Name: SQLServerPriority: 1500Source: AnyProtocol: TCPSource Port Range: *Destination: AnyDestination Port Range: 1433Action: Allow
© 2015 Microsoft Corporation
<Lab title> 17
Configure a DNS Label for the public IP address In the virtual machine blade, select your Public IP address. In the properties for your Public IP address, expand Configuration.
Set the following DNS configuration
Assignment: StaticDNS Name: Unique DNS Name
Connect to SQL Instance using <DNSLabel>.<DCname>.cloudapp.azure.com,1433 using the SQL Login with sysadmin rights
© 2015 Microsoft Corporation
18 FastStart SQL Server Azure VM – Deploy and Manager RM VM
Configure TDE using Azure Vault
Install Azure Powershell on Workstation
From laptop\workstation, open the powershell ISE with run as administrator option and run the following command
# Install the Azure Resource Manager modules from the PowerShell Gallery
Install-Module AzureRMInstall-AzureRM
# Install the Azure Service Management module from the PowerShell Gallery
Install-Module Azure
# Import AzureRM modules for the given version manifest in the AzureRM module
Import-AzureRM
# Import Azure Service Management moduleImport-Module Azure
This will take few minutes to complete the installation. Good time to take a break if you haven’t installed the module previously.
Create an Azure Vault and Key Connect to Azure subscription
Login-AzureRmAccount Copy the SubscriptionID and replace the subscriptionID
Set-AzureRmContext -SubscriptionId XXXXXXNew-AzureRmKeyVault -VaultName 'TestVault123' -ResourceGroupName 'TestVault' -Location 'East US'
This will create a AzureRM key Vault Testvault123. You can change vaultName, RG Name and Location as per your choice
© 2015 Microsoft Corporation
<Lab title> 19
$key = Add-AzureKeyVaultKey -VaultName '<vault Name>' -Name 'TestKey123' -Destination 'Software'This will create a Key with name TestKey123. Get-AzureKeyVaultKey –VaultName '<vaultName>'
Notedown the Vault URI
Create an Application in Azure AD and configure the ClientID
Login to Classic portal Http://manage.windowsazure.com Go to Active Directory and select the default Azure Active Directory Go to the applications and click Add Provide the following
Name: AzureVaultTestType: Web Application and/or Web APISIGN ID URL : Provide the Vault URIApp ID URI: Provide the vault URI
Select the application AzureVaultTest and click the Configure Tab Under keys section, select duration key= 1 year and click save Note down the clientID and key
Map the Client with the Vault
Map the ClientID with vault
Set-AzureRmKeyVaultAccessPolicy -VaultName 'testvault123' -ServicePrincipalName <CLientID> -PermissionsToKeys decrypt,sign,wrapKey,unwrapKey,get,list,create
Replace the vault with name and ServicePrincipalName with ClientiD
Install and Enable EKM Install the EKM Connector
Download the EKM Connector and install it on the Azure VMhttps://www.microsoft.com/en-us/download/details.aspx?id=45344
Enable EKM in SQL Server
USE master;
GO
sp_configure 'show advanced options', 1 ;
© 2015 Microsoft Corporation
20 FastStart SQL Server Azure VM – Deploy and Manager RM VM
GO
RECONFIGURE ;
GO
--Enable EKM provider
sp_configure 'EKM provider enabled', 1 ;
GO
RECONFIGURE ;
GO
Create the provider
CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov FROM FILE = 'C:\Program Files\SQL Server Connector for Microsoft Azure Key Vault\Microsoft.AzureKeyVaultService.EKM.dll';
Configure Transparent Data Encryption Using TDE Create a database Test
Create Credential
USE master;CREATE CREDENTIAL sysadmin_ekm_cred WITH IDENTITY = '<VaultName>', SECRET = ‘<Secret>' FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov ;
The secret is the clientID appended with key without the hypen
Add the credential to the SQL Server administrator's domain login ALTER LOGIN [<installation account>]ADD CREDENTIAL sysadmin_ekm_cred;
GO
Create Asymmetric Key
CREATE ASYMMETRIC KEY CONTOSO_KEY FROM PROVIDER [AzureKeyVault_EKM_Prov]WITH PROVIDER_KEY_NAME = 'TestKey123',CREATION_DISPOSITION = OPEN_EXISTING;
Enable Transparent data encryption
© 2015 Microsoft Corporation
<Lab title> 21
USE master;CREATE CREDENTIAL Azure_EKM_TDE_cred WITH IDENTITY = 'testvault123', SECRET = ‘<Secret>' FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov ;The secret is the clientID appended with key without the hypen
USE master;-- Create a SQL Server login associated with the asymmetric key -- for the Database engine to use when it loads a database -- encrypted by TDE.CREATE LOGIN TDE_Login FROM ASYMMETRIC KEY CONTOSO_KEY;GO
-- Alter the TDE Login to add the credential for use by the -- Database Engine to access the key vaultALTER LOGIN TDE_Login ADD CREDENTIAL Azure_EKM_TDE_cred ;GO
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER ASYMMETRIC KEY CONTOSO_KEY;GO
-- Alter the database to enable transparent data encryption.ALTER DATABASE TestSET ENCRYPTION ON ;GO
select * from sys.dm_database_encryption_keys
© 2015 Microsoft Corporation
22 FastStart SQL Server Azure VM – Deploy and Manager RM VM
© 2015 Microsoft Corporation