Share via

What are best security best practices to connect AKS with SQL Server?

Najam ul Saqib 340 Reputation points
2024-09-09T07:58:28.5733333+00:00

Hi,

I have an AKS cluster on Azure and one of the pod is connecting to the SQL server, the SQL server is also being consumed by a function app.

I dont want my SQL server to be exposed publicly, and I know private endpoint can be used between function app and SQL server but what can be done with AKS - SQL communication? I am amazed that no such recommendation is given by Defender for cloud.

The whole purpose of this activity is to reduce public exposure to SQL databases, and I see another feature with the name of "Service Connector", here's the docs: https://learn.microsoft.com/en-us/azure/service-connector/tutorial-python-aks-sql-database-connection-string?tabs=azure-portal How is this different from private endpoint and does it achieve the purpose here for us?

FYI, In my infrastructure the SQL server and AKS are not in same region. AKS is in West US 2 while SQL in East US and West US.

Azure SQL Database
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,998 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,146 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 26,186 Reputation points
    2024-09-09T21:53:42.8333333+00:00

    How can I securely connect AKS with SQL Server without exposing SQL publicly?

    To ensure that your SQL Server is not exposed publicly when connecting with AKS, the key is to avoid public IP access. Private endpoints provide a secure connection between your AKS cluster and SQL Server without requiring public internet exposure. A private endpoint allows you to connect via a private IP address in your virtual network, ensuring SQL Server remains invisible to the public internet.

    However, given that your SQL Server and AKS cluster are in different regions (AKS in West US 2 and SQL in East US and West US), you'll need to consider network peering. Cross-region VNet peering will allow the AKS cluster and SQL Server to communicate securely across regions via private endpoints.

    What can be done to secure AKS-SQL communication?

    1. Private Link and Private Endpoints: This method ensures SQL is only accessible through a private IP from within your virtual network. As mentioned, for AKS and SQL Server in different regions, you’ll need VNet peering to enable secure communication between the two. Ensure both VNets are appropriately configured with the necessary network peering, DNS resolution, and access policies.
    2. Azure Active Directory (AAD) Authentication: Use AAD for SQL Server authentication instead of SQL logins. This ensures that the communication between your AKS pods and the SQL Server uses AAD identities, which is much more secure and centralized for identity management.
    3. Managed Identity: Leverage managed identities for the AKS cluster. With managed identities, your AKS pods can authenticate to the SQL Server without the need to store credentials (such as connection strings with passwords) in the code or environment variables. This provides a secure way for AKS to access SQL Server.

    What is the difference between Service Connector and Private Endpoint?

    Service Connector and Private Endpoints serve different purposes in securing communication between services:

    • Private Endpoint: As discussed, a private endpoint uses a private IP address to connect to SQL Server within the virtual network. It completely eliminates the need for public internet access for the SQL Server.
    • Service Connector: This simplifies the connection process for AKS to securely connect to Azure SQL (or other services like Azure Storage). It abstracts away much of the complexity of network configuration, and in certain scenarios, it can create a secure connection without needing a private endpoint. However, unlike private endpoints, service connectors don't necessarily eliminate public exposure. You should evaluate if the Service Connector supports private link functionality to match your security requirements.

    In your case, since your SQL Server is in a different region from AKS, Private Endpoints with VNet Peering is likely the most secure approach to avoid public exposure and ensure secure, private communication. Service Connector may simplify the process but might not fully meet your strict requirements of minimizing public exposure across regions.

    Does Defender for Cloud provide recommendations for securing AKS to SQL?

    You mentioned that Azure Defender for Cloud does not provide a recommendation in this specific case. Defender for Cloud often focuses on identifying security vulnerabilities and misconfigurations but may not cover all specific scenarios, like cross-region AKS-SQL connections. For detailed configurations, it's essential to follow best practices, including private endpoints, VNet peering, AAD authentication, and managed identities for securing cross-service communications.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.