Lift and Shift Always On SQL Server Failover Cluster Instance (SQL FCI) to Azure VMs
Today, we are announcing two new features enabling lift and shift of Always On SQL server Failover Cluster instances (SQL FCI) from on-premises to Azure Virtual Machines: Distributed Network Name (DNN) for SQL FCI and Azure Shared Disks for SQL FCI.Announcing Performance Optimized Storage Configuration for SQL Server on Azure VMs with SQL VM RP
Today, we are excited to announce Performance Optimized Storage Configuration capabilities for the VM’s registered with SQL VM RP. This feature automates storage configuration according to performance best practices for SQL Server on Azure virtual machines through Azure Portal or Azure Quick start Templates when creating a SQL VM. Automated performance best practices include separating Data and Log files, cache configuration for premium disks hosting data and log files, support for Temp DB on local disk, support for Ultra disks to host data, log or Temp DB files and database engine only images. In this article, we will discuss each automated performance best practice in detail.SQL Server on Azure VM - Now with 30% better price-performance on the new Ebdsv5 VM series!
The new Ebdsv5 VM series in preview starting today offers the highest I/O throughput to core ratio in Azure and is ideal for SQL Server workloads and other I/O-heavy workloads like Oracle, Teradata, and SAS. Once the Ebdsv5 series is generally available we expect it to be the flagship Azure VM for SQL Server workloads.Benefit from Resource Provider registration when self-installing SQL Server on Azure Virtual Machine
If you choose to self-install SQL Server on Azure Virtual Machines instead of choosing a preconfigured pay-as-you-go or bring-your-own-license from the Azure Marketplace, there are two reasons why you should register your SQL VM with our Resource Provider today: Compliance – satisfy the Microsoft Product Terms requiring you to indicate to Microsoft when using Azure Hybrid Benefit. Feature benefits – unlock auto-patching, auto-backup, monitoring, and manageability capabilities, as well as licensing flexibility, when registering with SQL virtual machines with Resource Provider. Previously, these were only available to SQL VM images from the Azure Marketplace.Announcement: New Features and changes to SQL IaaS Agent Extension
SQL Server on Azure Virtual Machines is powered by the SQL IaaS Agent extension which provides many features that make managing your SQL Server easy. This blog will discuss new features and changes we’ve recently released in this extension. Retiring Modes: SQL IaaS Agent extension traditionally used to have two modes, Lightweight and Full mode. In the Lightweight mode, customers were able to do license management, whereas the Full mode offers all the other manageability features. This differentiation of modes made it tough for customers to adopt the manageability features that the SQL IaaS agent extension offers. To address this, starting today there will be no management modes for SQL IaaS agent extension. Going forward, customers register with the SQL IaaS Agent extension and enable the required features they would like for their SQL Server on Azure virtual machines. Based on the features selected, the SQL IaaS agent extension would assume only the permissions required on the SQL Server to enable those features. If no features are enabled, there will be no Windows services installed. Upon enabling a specific feature, the extension will create Windows services to perform the tasks required by the feature. Licensing mode changes do not require any Windows services and can be managed from the SQL VM (virtual machines) portal immediately after the SQL IaaS Agent extension is enabled. Announcing General Availability of AAD authentication for SQL Server on Azure VMs: AAD authentication is one of the most important features that is introduced in SQL Server 2022. Enabling this feature is easy when you run your workload on Azure VMs. Customers simply need to follow 3 steps to get this enabled. Choose the managed identity they would like to use to enable AAD authentication. Both system and user-managed identities are supported. Make sure the selected managed identity has the necessary permissions in AAD. Please follow the instructions mentioned here to give the required permission. Click on Apply to enable AAD authentication. With GA, Azure also will check whether required permissions were assigned to the managed identity selected before going ahead and starting the deployment, hence customers do not have to wait for the deployment to complete to validate whether the specified managed identity has the correct permissions. Auto upgrade of the SQL IaaS Agent extension: SQL IaaS agent extension adds new features and improvements over time and customers currently get these features through lazy upgrades. A lazy upgrade occurs whenever a customer interacts with SQL VM portal or through CLI. Customers often want to keep extensions in all their VMs on the same version. This new auto upgrade option will keep all the SQL VMs on the same version of extension by upgrading extension to the latest version every month. This is now a default feature for all the new VMs being deployed in Azure. VMs that are already deployed can take advantage of this by going to the SQL VM portal and going to SQL IaaS Agent Extension Settings page.SQL Server on Azure VMs - the best price-performance gets even better!
As we reflect on the past year and look toward what’s to come in 2023, we thought it would be a great time to call attention to all the innovations in the price-performance area for SQL Server on Azure Virtual Machines that came out this past year, and to announce we are starting the new year with a bang in the form of an all-new price-performance study from GigaOm!Intro - SQL Server Transparent Data Encryption and Extensible Key Management Using Azure Key Vault
Part - Intro of a 4-part blog series: Setting up Transparent Data Encryption (TDE) and EKM (Extensible Key Management) to use Azure Key Vault (AKV) can be a complex process which has been made even more challenging due to limited documentation, cryptic instructions and multiple steps using 4 different products: SQL Server Connector for Microsoft Azure Key Vault (aka: SQL Server Connector) Azure Active Directory (aka: AAD) Azure Key Vault (aka: AKV) SQL Server (SQL Server 2008 or later) However, this blog will attempt to make it easy to setup TDE and EKM using Azure Key Vault via either the Azure Portal or PowerShell and of course SQL Server (TSQL).
Managed Identity support for Azure Key Vault in SQL Server running on Linux
We are happy to announce that, you can now use Managed Identity to authenticate to Azure Key Vault from SQL Server running on Azure VM (Linux) available from SQL Server 2022 CU18 onwards. This blog will walk you through the process of using a user-assigned managed identity to access Azure Key Vault and configure Transparent Data Encryption(TDE) for a SQL database. Managed Identity: Microsoft Entra ID, formerly Azure Active Directory, provides an automatically managed identity to authenticate to any Azure service that supports Microsoft Entra authentication, such as Azure Key Vault, without exposing credentials in the code. Refer Managed identities for Azure resources - Managed identities for Azure resources | Microsoft Learn for more details. VM Setup and Prerequisites: Before diving into the setup, it's essential to ensure that your Azure Linux VM has SQL Server installed and that the VM has identities assigned with the necessary key vault permissions. Set up SQL Server running on Azure Linux VM. Refer SQL Server on RHEL VM in Azure: RHEL: Install SQL Server on Linux - SQL Server | Microsoft Learn, SQL Server on SLES VM in Azure: SUSE: Install SQL Server on Linux - SQL Server | Microsoft Learn, SQL Server on Ubuntu VM in Azure: Ubuntu: Install SQL Server on Linux - SQL Server | Microsoft Learn for more details. Create user-assigned Managed Identity. Refer https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal for more details. Go to Azure Linux VM resource in the Azure portal and click on Identity tab under security blade. Go to the User assigned tab in the right side panel and click on Add. Select the user-assigned managed identity and click on Add. Create a Key Vault and Keys. Refer Integrate Key Vault with SQL Server on Windows VMs in Azure (Resource Manager) - SQL Server on Azure VMs | Microsoft Learn for more details. Assign Key Vault Crypto Service Encryption User role to the user-assigned managed identity to perform wrap and unwrap operations. Go to the key vault resource that you created, and select the Access control (IAM)setting. Select Add> Add role assignment. Search for Key Vault Crypto Service Encryption User and select the role. Select Next. In the Members tab, select Managed identity option and click on Select members option, and then search for the user-assigned managed identity that you created in Step 3. Select the managed identity and then click on Select button. Setting the primary identity on Azure Linux VM To set the managed identity as the primary identity for Azure Linux VM, you can use the mssql-conf tool packaged with SQL Server. Here are the steps: Use the mssql-conf tool to manually set the primary identity. Run the following commands: sudo /opt/mssql/bin/mssql-conf set network.aadmsiclientid <client id of the managed identity> sudo /opt/mssql/bin/mssql-conf set network.aadprimarytenant <tenant id> 3. Restart the SQL Server: sudo systemctl restart mssql-server Enable TDE using EKM and managed identity: Refer Managed Identity Support for Extensible Key Management (EKM) with Azure Key Vault (AKV) - SQL Server on Azure VMs | Microsoft Learn for configuration steps for Azure Windows VM. These steps remain same for SQL Server running on an Azure Linux VM. 1.Enable EKM in SQL Server running on the Azure VM. 2.Create credential and encrypt the database. When using the CREATE CREDENTIAL command in this context, you only need to provide the 'Managed Identity' in the IDENTITY argument. Unlike earlier scenarios, you do not need to include a SECRET argument. This simplifies the process and enhances security by not requiring a secret to be passed. Conclusion: Using managed identity to access Azure Key Vault in SQL Server running on an Azure Linux VM boosts security, streamlines key management, and supports compliance. With data protection being paramount, Azure Key Vault’s integration along with managed identity offers a robust solution. Stay tuned for more insights on SQL Server on Linux! Official Documentation: Managed Identity Support for Extensible Key Management (EKM) with Azure Key Vault (AKV) - SQL Server on Azure VMs | Microsoft Learn Extensible Key Management using Azure Key Vault - SQL Server Setup Steps for Extensible Key Management Using the Azure Key Vault Azure Key Vault Integration for SQL Server on Azure VMs
