Windows Azure Security Control-acl

Source: Internet
Author: User

Because of the recent busy other things, so a long time did not write articles, today saw a customer sent an e-mail that is deployed on the azure my SQL Server has an exception connection information, so I found a little time to summarize, to share to the needs of the classmate reference study; 21 The capabilities of the connected Azure are still being updated, and the capabilities of global Azure have been updated a lot, compared to the 21st Century Connected Azure feature update is slow, so let's talk about the environment, there are two ways to deploy an environment on Azure: 1, The MySQL server is installed on an azure VM. 2, based on the Azure pass platform MySQL service. The deployment methods and principles of the two are very different, specifically, not much, regardless of the way the security control of the deployment, Microsoft is doing a good job, through the corresponding access control to improve security, of course, the MySQL service on Azure, in fact, Microsoft Update this feature is not long ago, only support SQL Server version, now has a good support MySQL database, and then we say the above security issues, in fact, Microsoft from the earliest SQL Server configuration, in order to ensure the security of data information, the configuration of the relevant database is a security configuration, For example, you can make access control (ACL) on Azure SQL Server database, so-called whitelist and blacklist, in fact, most of the rules of the service are uniform, the precedence of deny is higher than allow priority.

Endpoints on Azure do administrative ACLs we need to be aware that the specified endpoint can be managed ACLs, such as 2 or more endpoints under a VM, we need to select the specified endpoint and then click Manage ACL to do the management ACL operation for the specified endpoint.

Let's explain the environment in detail: for the first of these cases, if you are installing SQL Server or MySQL service within a VM after creating a new VM on Azure, how do you do security control, we need to configure the VM-based ACL configuration,

In this example,

Remember that all services deployed on an azure VM need to be open at the endpoint: we have Apache installed on the VM again for testing, so we need to add port 80

650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image002" src= "http://s3.51cto.com/wyfs02/M00/82/6F/wKioL1dVMWSxRi9cAABg-4y2jvA686.jpg" height= "290"/>

We can access it via our web page

650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image004" src= "http://s3.51cto.com/wyfs02/M01/82/70/wKiom1dVMF_BQB-kAADUbkWyzE0463.jpg" height= "345"/>

Open the VM---endpoints tab---Click HTTP endpoint--manage ACLs.

650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image006" src= "http://s3.51cto.com/wyfs02/M01/82/6F/wKioL1dVMWjw78o2AABiOtgDCi4612.jpg" height= "322"/>

Action type: Allow, deny

650) this.width=650; "title=" clip_image008 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image008" src= "http://s3.51cto.com/wyfs02/M02/82/70/wKiom1dVMGPx7WI0AABguo5Jh-s170.jpg" height= "356"/>

Managing endpoint ACLs We need to be careful: There are two options in the operation:

Note: If you do not add any allow or deny lists, the default is to allow all arbitrary address subnet links to be accessed.

Allow: Allow the name of the whitelist, if the allowed ACL is added, as long as the allowed ACL subnet list can be linked access, in addition to the allowed subnets are all denied.

Deny: Deny is also a blacklist, add the Deny ACL list of subnets, except to be added to the deny subnet can be accessed.

So we need to add my global IP address in order to test access:

We first Test connectivity through Telnet server IP 80

650) this.width=650; "title=" clip_image010 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image010" src= "http://s3.51cto.com/wyfs02/M02/82/6F/wKioL1dVMWrxtA-mAAA61tsxC4U424.jpg" height= "213"/>

650) this.width=650; "title=" clip_image012 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image012" src= "http://s3.51cto.com/wyfs02/M00/82/70/wKiom1dVMGSjesgDAABXUm9I_0U769.jpg" height= "307"/>

You can also access it via the page:

650) this.width=650; "title=" clip_image014 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image014" src= "http://s3.51cto.com/wyfs02/M00/82/6F/wKioL1dVMWvhSwZ8AADdt0zbNoU936.jpg" height= "367"/>

Next we need to look at the global IP of my current network in order to test the ACL:

Access ip138.com via web page

650) this.width=650; "title=" clip_image016 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image016" src= "http://s3.51cto.com/wyfs02/M01/82/70/wKiom1dVMGbTUS3JAACgBgdQPBw929.jpg" height= "276"/>

Then we open the admin ACL under the endpoint under the VM, add the address

We added the Reject action again, and the effect was added that the other subnets could be accessed in addition to the subnets in the Deny list

650) this.width=650; "title=" clip_image018 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image018" src= "http://s3.51cto.com/wyfs02/M01/82/6F/wKioL1dVMW3Rpz0tAABf0mJR2_s676.jpg" height= "364"/>

650) this.width=650; "title=" clip_image020 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image020" src= "http://s3.51cto.com/wyfs02/M02/82/6F/wKioL1dVMW2jzGrJAABmGYcJMtk059.jpg" height= "288"/>

After the admin ACL is added, we try to access it, the webpage is inaccessible, and Telnet cannot access the

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/82/70/wkiom1dvmg_jn27caaejsew9zss399.png "height="/>

Telnet's not even a pass.

650) this.width=650; "title=" clip_image024 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image024 "src=" http://s3.51cto.com/wyfs02/M00/82/70/wKiom1dVMHDCwiEkAABRJXFBwAE611.jpg "height=" 194 "/>

Then let's talk about the second scenario, if you're creating a SQL Server or MySQL service based on the pass service on Azure, it's easy to do so because you have ACL configuration options in Azure's SQL Server or MySQL security configuration. It is convenient to add only the global IP addresses that allow connections to the list of allowed access (by default, deny all deny).

We have created a MySQL database on azure

650) this.width=650; "title=" clip_image026 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image026" src= "http://s3.51cto.com/wyfs02/M01/82/70/wKiom1dVMHGRmwB-AABeNubUMrg458.jpg" height= "267"/>

650) this.width=650; "title=" clip_image028 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image028" src= "http://s3.51cto.com/wyfs02/M02/82/70/wKiom1dVMHHAuZATAABoXBR6QoA077.jpg" height= "310"/>

Click View details for this database

650) this.width=650; "title=" clip_image030 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image030" src= "http://s3.51cto.com/wyfs02/M00/82/6F/wKioL1dVMXiSs-_hAABIxHgcfhA601.jpg" height= "263"/>

Next we telnet the MySQL server

650) this.width=650; "title=" clip_image032 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image032" src= "http://s3.51cto.com/wyfs02/M01/82/70/wKiom1dVMHOhjbV7AABLH22PoR0131.jpg" height= "242"/>

Telnet found to be a normal connection.

650) this.width=650; "title=" clip_image034 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image034" src= "http://s3.51cto.com/wyfs02/M02/82/70/wKiom1dVMHOQi349AABGmfUeKbg925.jpg" height= "194"/>

We found that although the relevant service port can be telnet, it is not possible to connect using the related tools.

650) this.width=650; "title=" clip_image036 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image036" src= "http://s3.51cto.com/wyfs02/M00/82/70/wKiom1dVMHvzT_bqAABwe1lm0jY727.jpg" height= "" "/>

And then we'll look at the MySQL configuration.

There is an option to allow IP addresses

650) this.width=650; "title=" clip_image038 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image038" src= "http://s3.51cto.com/wyfs02/M00/82/6F/wKioL1dVMYXDYqT4AABc2jcwKys916.jpg" height= "/>"

The system will automatically see the user's outbound global IP address, so it is more convenient, we found that the default is can be connected, and then we arbitrarily add an IP address, to see if it is in my local can not connect properly;

Note: If you add a list of allowed access, you can access it all except by allowing access to an address other than the list. Let's try it;

After we add the client IP address of our current environment, save

650) this.width=650; "title=" clip_image040 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image040" src= "http://s3.51cto.com/wyfs02/M01/82/70/wKiom1dVMH_x--imAABxAYt8Gv0939.jpg" height= "302"/>

Once saved, we'll test it again with the tool, and the connection is OK.

650) this.width=650; "title=" clip_image042 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image042 "src=" http://s3.51cto.com/wyfs02/M02/82/70/wKiom1dVMIDwRcUDAABxldmeK5A132.jpg "height=" 314 "/>

This article from "Gao Wenrong" blog, declined reprint!

Windows Azure Security Control-acl

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.