Enabling Azure Key Vault for SQL Server on Linux
Enhancing Security with EKM using Azure Key Vault in SQL Server on Linux: We’re excited to announce that Extensible Key Management (EKM) using Azure Key Vault in SQL Server on Linux is now generally available from SQL Server 2022 CU12 onwards, which allows you to manage encryption keys outside of SQL Server using Azure Key Vaults. In this blog post, we’ll explore how to leverage Azure Key Vault as an EKM provider for SQL Server on Linux. Azure Key Vault: The Bridge to Enhanced Security is a cloud-based service that securely stores keys, secrets, and certificates. By integrating Azure Key Vault with SQL Server, you can benefit from its scalability, high performance, and high availability. Refer Set up Transparent Data Encryption (TDE) Extensible Key Management with Azure Key Vault - SQL Server | Microsoft Learn for more details. Setting Up EKM with Azure Key Vault Here’s a streamlined version of the setup process for EKM with Azure Key Vault on SQL Server for Linux: Initialize a Microsoft Entra service principal. Establish an Azure Key Vault. Set up SQL Server for EKM and register the SQL Server Connector. Finalize SQL Server configuration. The full guide for setting up AKV with SQL Server on Linux is available here Set up Transparent Data Encryption (TDE) Extensible Key Management with Azure Key Vault - SQL Server | Microsoft Learn . For SQL on Linux, omit steps 3 and 4 and proceed directly to step 5. I’ve included screenshots below for your quick reference that covers the SQL Server configuration to use AKV. Run the below commands to enable EKM in SQL Server and register the SQL Server Connector as EKM provider. Please note: SQL Server requires manual rotation of the TDE certificate or asymmetric key, as it doesn’t rotate them automatically. Regular key rotation is essential for maintaining security and effective key management. Conclusion Using Azure Key Vault for EKM with SQL Server on Linux boosts security, streamlines key management, and supports compliance. With data protection being paramount, Azure Key Vault’s integration offers a robust solution. Stay tuned for more insights on SQL Server on Linux! :old_key:️:locked: Official Documentation: Extensible Key Management using Azure Key Vault - SQL Server Setup Steps for Extensible Key Management Using the Azure Key Vault Azure Key Vault Integration for SQL Server on Azure VMsEntra Authentication in Arc enabled SQL Server 2025 - Windows
This blog will discuss the newly added, “Primary managed identity” in Arc enabled SQL Server 2025 by Microsoft Entra, which enables credential free authentication for both inbound & outbound communications. The Primary Managed Identity pertains to the identity of the Arc machine, which is registered by the Arc machine agent with Microsoft Entra. SQL Server can utilize this identity to authenticate with other Azure services. Associate a “Primary managed identity” to the SQL Server: Arc enabled windows machine, have a managed identity created for them. SQL Server 2025 can now use that identity to establish a trust relationship with Microsoft Entra. You can attach this identity to SQL Server by opting for it from the Azure portal. To activate the primary managed identity from Azure, as a pre-requisite, you need the latest Azure extension for SQL Server release. Note: We keep improving the Azure portal user experience and you might see slight differences depending on when you are reading this blog post. A primary managed identity is necessary for both outbound and inbound communication. Alternatively, you can just Arc enable the host machine and use the manual set up for the managed identity feature. This eliminates the need for the Azure extension for SQL Server, which you must uninstall. With this approach you will not be able to use the Azure portal for Microsoft Entra features. Outbound Communication: You can now use this Primary managed identity to connect the SQL Server 2025 to Azure resources like Azure Storage and Azure Key vault. Follow this to set up the backup to an Azure storage URL, and EKM with Azure key vault. Inbound Communication: You can also use the primary managed identity to create Entra based users and logins to connect to SQL Server 2025. For this you will need to grant these graph API permissions. User.Read.All, GroupMember.Read.All, and Application.Read.All Read more here for the details and limitations on this managed identity setup. For Arc-enabled SQL Server 2025, we recommend using managed identity as it is more secure than the credential-based setup from SQL Server 2022. Although you can still register your SQL Server 2025 with Microsoft Entra for inbound communication only, the Azure portal for SQL 2025 will no longer support the App-registration method. Next steps: To proceed, please obtain your SQL Server 2025 from here to explore all the SQL Server 2025 features available in the public preview version. If you are using an antivirus software, please refer to these instructions.SQL Server 2025 - AI ready enterprise database from ground to cloud
The new version of SQL Server is designed to be an AI-ready enterprise database platform, integrating seamlessly from ground to cloud to Fabric. In this blog, we will explore the key features and enhancements that make SQL Server 2025 a game-changer for developers, database administrators, and organizations. The new capabilities build upon more than three decades of SQL Server innovation in performance, availability, reliability, and security, adding a host of new features that empower developers, protect data, and enable seamless analytics through the Microsoft Fabric integration. AI integration SQL Server 2025 offers features to support enterprise applications. This version integrates AI with customer data using AI capabilities within the SQL engine, ensuring that AI models remain isolated securely. The built-in vector data type allows hybrid AI vector searches, combining vectors with SQL data for efficient and accurate data retrieval. This integration facilitates AI application development and retrieval-augmented generation (RAG) patterns, and AI Agents using the familiar T-SQL syntax. The new vector data type stores vector embeddings alongside relational data, enabling semantically related searches within SQL Server. New vector functions perform operations on vectors in binary format, enabling applications to store and manipulate vectors directly within the SQL database engine. SQL Server 2025 includes T-SQL functions that provide the necessary tools for working with embeddings, without requiring detailed knowledge of their usage. Vectors enable AI models to identify similar data using the K-Nearest Neighbors (KNN) algorithm, with metrics like dot product or cosine similarity. To enhance scalability, SQL Server 2025 incorporates Approximate Vector Index and Vector Search, leveraging Approximate Nearest Neighbors (ANN) for faster, resource-efficient, and accurate results. SQL Server 2025 introduces advanced AI model management capabilities designed to enhance the efficiency and security of interacting with Azure OpenAI and other AI models. SQL Server 2025 provides options for deploying AI models either on-premises or in the cloud, with compatibility for Azure OpenAI, OpenAI endpoints, and Ollama. With all these capabilities, SQL Server 2025's hybrid search represents a paradigm shift in how organizations access and utilize data. Through a blend of keyword and vector searches, businesses can unlock deeper insights, improve customer satisfaction, and harness the full potential of their data assets. Our customer, Kramer & Crew GmbH & Co, who participated in our Early Adoption Program (EAP) aka private preview shared us below. "Joining the EAP was a great opportunity to explore the new AI, security, performance, Fabric, and Azure Arc features! With the new semantic search and RAG capabilities in SQL Server 2025, we can empower existing GenAI solutions with data embeddings to create next-generation, more intelligent AI applications. By connecting systems (e.g., ITSM, CRM, ERP, and others), we deliver a seamless, natural conversational experience across enterprise environments." Markus Angenendt, Data Platform Infrastructure Lead, Kramer & Crew GmbH & Co. KG Developer productivity SQL Server 2025 introduces several exciting developer features designed to enhance developer productivity. New GitHub Copilot: GitHub Copilot transforms coding with AI-driven suggestions, streamlining workflows and enhancing efficiency. Its agent mode proposes edits, tests, and validates changes, enabling developers to focus on complex tasks. SQL Server Management Studio (SSMS) 21: Releasing SQL Server Management Studio (SSMS) 21, for general availability (GA). SSMS 21 includes support for SQL Server 2025. The Copilot in SSMS – now available in preview. New Python Driver: The Python driver for SQL Server and Azure SQL offers efficient, asynchronous connectivity across platforms like Windows, Linux, and macOS. It's designed to simplify development and enhance performance for data-driven applications. Standard Developer Edition: SQL Server 2025 Standard Developer Edition is a free edition licensed for development and test purposes. The intent is to enable all features of SQL Server Standard Edition to facilitate the development and testing of new applications that use the Standard Edition in production. This edition complements the existing Enterprise Developer Edition. JSON data type and aggregates: SQL Server 2025 includes a native JSON data type, allowing for more efficient storage and manipulation of JSON data up to 2GB storage per JSON document. This type supports various JSON aggregate functions to facilitate the aggregation of JSON data. Queries over JSON documents can be optimized by creating a JSON index and using JSON functions and methods to modify and search data natively. Regular expressions (RegEx): SQL Server 2025 introduces support for Regular Expressions (RegEx), providing powerful tools for developers to efficiently query and manipulate text data, better matching pattern than “LIKE” operator. External REST endpoint invocation: The sp_invoke_external_rest_endpoint stored procedure allows for the native invocation of any REST endpoints directly from within T-SQL, enabling seamless integration with external web services. Change event streaming (CES): Enables real-time data integration by streaming data changes directly from SQL Server to Azure Event Hubs with Kafka compatibility, facilitating near real-time analytics and event-driven architecture based on Transaction log. Consider using Change Event Streaming for CDC as it eliminates the need for I/O operations, offering a more efficient and streamlined solution for developers. New T-SQL functions: Several new T-SQL functions introduced to simplify complex queries and increase workload performance. For example, the PRODUCT() aggregate function calculates the product of a set of values. New Chinese collations: Support for GB18030-2022 collation standard. Overall, these developer-centric enhancements in SQL Server 2025 streamline the process of building modern, AI powered and data-rich applications. They reduce the need for custom code and encourage a more declarative, in-database approach to data processing, which can lead to simpler architecture and better performance. “The introduction of the new PRODUCT() aggregate function in SQL Server 2025 has streamlined this process, reducing code complexity while improving computational efficiency by over 30%. This enhancement accelerates key economic calculations, including the computation of the U.S. Gross Domestic Product (GDP), and also strengthens organizations’ ability to deliver timely, accurate data to policymakers and to the public." -- David Rozenshtein and Sandip Mehta, IT Modernization Architects, Omnicom Consulting Group” Secure by default SQL Server 2025 delivers a range of advanced security features designed to enhance data protection, authentication, and encryption. Here are the key security enhancements. Stop using client secrets and passwords: SQL Server 2025 supports managed identity authentication enabled by Azure Arc. This feature allows secure authentication for outbound connections to Azure resources and inbound connections for external users. For example, backup to Azure Blob Storage can now use SQL Server managed identity for authentication. Stronger encryption: To protect the key material of a symmetric key SQL Server stores the key material in encrypted form. Historically, this encryption utilized PKCS#1 v1.5 padding mode; Optimized starting with SQL Server 2025, the encryption uses Optimal Asymmetric Encryption Padding (OAEP) for encryption by certificate or asymmetric key. Stronger password encryption: To store a SQL user password we use an iterated hash algorithm, RFC2898, also known as a password-based key derivation function (PBKDF). This algorithm uses SHA-512 hash but hashes the password multiple times (100,000 iterations), significantly slowing down brute-force attacks. This change enhances password protection in response to evolving security threats and helps customers comply with NIST SP 800-63b guidelines. Strict connection encryption: The implementation of Extended TDS 8.0 support and TLS 1.3 for stringent encryption protocols enhances the security of internal component communications within SQL Server 2025. Optimized security cache: When security cache entries are invalidated, only those entries belonging to the impacted login are affected. This minimizes the impact on non-cache permissions validation for unaffected login users. In summary, SQL Server 2025 continues the product’s legacy of top-notch security by incorporating modern identity and encryption practices. By embracing Azure AD, managed identities, and stronger cryptography by default, it helps organizations avoid vulnerabilities and meet compliance requirements more easily, protecting data both at rest and in motion. Mission critical database engine SQL Server 2025 introduces significant performance and reliability enhancements designed to optimize workload efficiency and reduce troubleshooting efforts. Utilize insights gained from prior executions of expressions within queries enhance the performance of future executions. Optional parameter plan optimization helps SQL Server choose the optimal execution plan based on runtime parameter values, reducing performance issues caused by parameter sniffing. Optimized locking improves concurrency by avoiding blocking and lock escalation and reduces lock memory usage. Enhancements in batch mode processing and columnstore indexes further improve SQL Server as a mission-critical database for analytical workloads. Query Store for readable secondaries allows you to monitor and adjust the performance of read-only workloads executing against secondary replicas. In SQL Server 2025 this is enabled by default. Persisted temporary statistics for readable secondaries are now saved to the primary replica, ensuring permanence and avoiding recreation after restarts, which could degrade performance. A new query hint blocks future execution of problematic queries, such as nonessential queries affecting application performance. Optimized Halloween protection reduces tempdb space consumption and improves performance of data modification queries. Tempdb space resource governance improves reliability by restricting workloads from consuming excessive tempdb space. Accelerated database recovery in tempdb provides instantaneous transaction rollback and aggressive log truncation for transactions in tempdb. Fast failover for persistent health issues: The Windows Failover Cluster (WSFC) can be configured to failover the availability group resource promptly upon detection of a persistent health issue for example long I/O . Enhancements have been made to the undo-of-redo process during disaster recovery failover to asynchronous replicas, improving synchronization performance. Internal synchronization mechanisms have been improved to reduce network saturation when the global primary and forwarder replicas are in asynchronous commit mode. Improved health check time-out diagnostics. Configure a distributed availability group between two contained availability groups. The new backup compression algorithm, ZSTD, provides significant enhancements in compression efficiency while utilizing fewer resources. You can now offload FULL, DIFFERENTIAL, and T-LOG backups to a secondary replica in an Always On Availability Group, freeing your primary replica to handle production workloads. Fabric integration and Analytics Database mirroring to Fabric can continuously replicate data from a database in a SQL Server 2025 instance, on-premises or in virtual machines. A mirrored database item is a read-only, continuously replicated copy of your SQL Server database data in OneLake. SQL Server now natively supports querying CSV, Parquet, and Delta files using OPENROWSET, CREATE EXTERNAL TABLE, or CREATE EXTERNAL TABLE commands, without needing PolyBase Query Service. SQL Server on Linux tmfs filesystem is supported for tempdb in SQL Server 2025 on Linux. This enhancement can improve performance for tempdb-heavy workloads by utilizing memory (RAM) instead of disk-based filesystems. Custom password policy enforces a custom password policy for SQL authentication logins in SQL Server on Linux. PolyBase in SQL Server for Linux can now connect to ODBC data sources. Discontinued services Data Quality Services (DQS) is discontinued in this version of SQL Server. We continue to support DQS in SQL Server 2022 (16.x) and earlier versions. Master Data Services (MDS) is discontinued in this version of SQL Server. We continue to support MDS in SQL Server 2022 (16.x) and earlier versions. Get started SQL Server 2025 is not just an iterative update; it’s a substantial upgrade that bridges the worlds of databases and AI, on-premises and cloud. It retains full support for existing applications and T-SQL code, so upgrades can be done with minimal changes. By adopting SQL Server 2025, organizations can answer new questions with their data, serve applications at a greater scale, and integrate more closely with modern data platforms – all while relying on the familiar, reliable foundation that SQL Server has provided for years. Ready to try it out? Get started today: aka.ms/getsqlserver2025. Learn more Microsoft Build 2025: SQL Server 2025: The Database Developer Reimagined Docs: aka.ms/Build/sql2025docs Announcement blog: aka.ms/sqlserver2025 SQL Server homepage: https://www.microsoft.com/en-us/sql-server MSSQL Extension for Visual Studio Code with GitHub Copilot: https://aka.ms/vscode-mssql-copilot
How to create Linked server from SQL Server to Azure SQL Database
Here in this blog, we are going to demo how to configure Linked server from on-prem SQL Server instance to Azure SQL database. I will have a reference to this blog in my subsequent blogs that will soon be available for Dynamic Data Masking & Cross database/server queries. We have taken example of two databases, Database1 (Copy of AdventureWorks 2019) as Azure SQL database & Database2 hosted in On-prem SQL Server Instance. In this demo we will be querying Database1 tables in the context of Database2. Database1: Azure SQL database Database2: SQL Server Instance on-prem Here is the sequence of steps that you need to follow to configure Linked Server using SSMS tool. Step-1: Connect to SQL Server Instance in SSMS tool and go to Object Explorer. Expand the Server Objects, right click on Linked Server and create a New Linked Server. Step-2: Go to General tab in the new Linked Server window. Under the Server type section, choose the Other data source option. Give a suitable name to the Linked Server as per your choice in the Linked Server section. Choose the “Microsoft OLE DB Provider SQL Server” in the Provider dropdown. In the Data source section, specify the Azure database logical server name for e.g., logicalservername.database.windows.net. You just need to change the logicalservername to the actual Azure server name which you can get from the Azure portal. Enter the Azure database name that you want to create the linked server to in the catalog field. Step-3: Now go to Security tab and choose the option “Be made using this security context”. Enter the SQL login credentials which is already present on the Azure DB server and has access to Database1. Please note this option is the least secure way to address the security configuration of Linked Server as any user who uses the Linked Server will be authenticated on the remote server using credentials provided here. Use of this option should be limited to testing environment. Step-4: Once the Linked Server is successfully created you can see it when you expand Linked Server section in Object Explorer and expand it further to view the list of tables. Step-5: Open a new query window in SSMS and switch to Database2 context on the on-prem SQL Server. Run the SELECT query to fetch data using the Linked Server that you just created in the previous steps. select * from [AZURE DATABASE DDMTEST].[Database1].[Person].[PersonPhone] Hope you find the blog helpful. Please share your questions or feedback.
