diff --git a/azure-sql/database/always-encrypted-enclaves-configure-attestation.md b/azure-sql/database/always-encrypted-enclaves-configure-attestation.md index 1255e2a69a1..009ea13be4b 100644 --- a/azure-sql/database/always-encrypted-enclaves-configure-attestation.md +++ b/azure-sql/database/always-encrypted-enclaves-configure-attestation.md @@ -22,7 +22,7 @@ ms.date: 01/15/2021 [Microsoft Azure Attestation](../../attestation/overview.md) is a solution for attesting Trusted Execution Environments (TEEs), including Intel Software Guard Extensions (Intel SGX) enclaves. -To use Azure Attestation for attesting Intel SGX enclaves used for [Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database, you need to: +To use Azure Attestation for attesting Intel SGX enclaves used for [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database, you need to: 1. Create an [attestation provider](../../attestation/basic-concepts.md#attestation-provider) and configure it with the recommended attestation policy. @@ -109,7 +109,7 @@ During the attestation workflow, the Azure SQL logical server containing your da ### Use Azure portal to assign permission -To assign the identity of an Azure SQL server to the Attestation Reader role for an attestation provider, follow the general instructions in [Add or remove Azure role assignments using the Azure portal](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal). When you are in the **Add role assignment** pane: +To assign the identity of an Azure SQL server to the Attestation Reader role for an attestation provider, follow the general instructions in [Add or remove Azure role assignments using the Azure portal](../../role-based-access-control/role-assignments-portal.md). When you are in the **Add role assignment** pane: 1. In the **Role** drop-down, select the **Attestation Reader** role. 1. In the **Select** field, enter the name of your Azure SQL server to search for it. @@ -138,11 +138,11 @@ $attestationResourceGroupName = "" New-AzRoleAssignment -ObjectId $server.Identity.PrincipalId -RoleDefinitionName "Attestation Reader" -ResourceGroupName $attestationResourceGroupName ``` -For more information, see [Add or remove Azure role assignments using Azure PowerShell](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-powershell#add-a-role-assignment). +For more information, see [Add or remove Azure role assignments using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md#add-a-role-assignment). ## Next Steps -- [Manage keys for Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves-manage-keys) +- [Manage keys for Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves-manage-keys) ## See also diff --git a/azure-sql/database/always-encrypted-enclaves-enable-sgx.md b/azure-sql/database/always-encrypted-enclaves-enable-sgx.md index c4a6475f2bb..871f1772902 100644 --- a/azure-sql/database/always-encrypted-enclaves-enable-sgx.md +++ b/azure-sql/database/always-encrypted-enclaves-enable-sgx.md @@ -19,7 +19,7 @@ ms.date: 01/15/2021 > [!NOTE] > Always Encrypted with secure enclaves for Azure SQL Database is currently in **public preview**. -[Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database uses [Intel Software Guard Extensions (Intel SGX)](https://itpeernetwork.intel.com/microsoft-azure-confidential-computing/) enclaves. For Intel SGX to be available, the database must use the [vCore model](service-tiers-vcore.md) and the [DC-series](service-tiers-vcore.md#dc-series) hardware generation. +[Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database uses [Intel Software Guard Extensions (Intel SGX)](https://itpeernetwork.intel.com/microsoft-azure-confidential-computing/) enclaves. For Intel SGX to be available, the database must use the [vCore model](service-tiers-vcore.md) and the [DC-series](service-tiers-vcore.md#dc-series) hardware generation. Configuring the DC-series hardware generation to enable Intel SGX enclaves is the responsibility of the Azure SQL Database administrator. See [Roles and responsibilities when configuring SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-sgx-enclaves-and-attestation). diff --git a/azure-sql/database/always-encrypted-enclaves-getting-started.md b/azure-sql/database/always-encrypted-enclaves-getting-started.md index a900187061e..d7467685cde 100644 --- a/azure-sql/database/always-encrypted-enclaves-getting-started.md +++ b/azure-sql/database/always-encrypted-enclaves-getting-started.md @@ -19,7 +19,7 @@ ms.date: 01/15/2021 > [!NOTE] > Always Encrypted with secure enclaves for Azure SQL Database is currently in **public preview**. -This tutorial teaches you how to get started with [Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database. It will show you: +This tutorial teaches you how to get started with [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database. It will show you: > [!div class="checklist"] > - How to create an environment for testing and evaluating Always Encrypted with secure enclaves. @@ -27,11 +27,11 @@ This tutorial teaches you how to get started with [Always Encrypted with secure ## Prerequisites -This tutorial requires Azure PowerShell and [SSMS](https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms). +This tutorial requires Azure PowerShell and [SSMS](/sql/ssms/download-sql-server-management-studio-ssms). ### PowerShell requirements -See [Overview of Azure PowerShell](https://docs.microsoft.com/powershell/azure) for information on how to install and run Azure PowerShell. +See [Overview of Azure PowerShell](/powershell/azure) for information on how to install and run Azure PowerShell. Minimum version of Az modules required to support attestation operations: @@ -60,7 +60,7 @@ To continue to interact with the PowerShell Gallery, run the following command b ### SSMS requirements -See [Download SQL Server Management Studio (SSMS)](https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms) for information on how to download SSMS. +See [Download SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) for information on how to download SSMS. The required minimum version of SSMS is 18.8. @@ -69,7 +69,7 @@ The required minimum version of SSMS is 18.8. In this step, you will create a new Azure SQL Database logical server and a new database using the DC-series hardware configuration. Always Encrypted with secure enclaves in Azure SQL Database uses Intel SGX enclaves, which are supported in the DC-series hardware configuration. For more information, see [DC-series](service-tiers-vcore.md#dc-series). -1. Open a PowerShell console and sign into Azure. If needed, [switch to the subscription](https://docs.microsoft.com/powershell/azure/manage-subscriptions-azureps) you are using for this tutorial. +1. Open a PowerShell console and sign into Azure. If needed, [switch to the subscription](/powershell/azure/manage-subscriptions-azureps) you are using for this tutorial. ```PowerShell Connect-AzAccount @@ -350,10 +350,10 @@ You can run rich queries against the encrypted columns. Some query processing wi ## Next steps After completing this tutorial, you can go to one of the following tutorials: -- [Tutorial: Develop a .NET application using Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/connect/ado-net/sql/tutorial-always-encrypted-enclaves-develop-net-apps) -- [Tutorial: Develop a .NET Framework application using Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/tutorial-always-encrypted-enclaves-develop-net-framework-apps) -- [Tutorial: Creating and using indexes on enclave-enabled columns using randomized encryption](https://docs.microsoft.com/sql/relational-databases/security/tutorial-creating-using-indexes-on-enclave-enabled-columns-using-randomized-encryption) +- [Tutorial: Develop a .NET application using Always Encrypted with secure enclaves](/sql/connect/ado-net/sql/tutorial-always-encrypted-enclaves-develop-net-apps) +- [Tutorial: Develop a .NET Framework application using Always Encrypted with secure enclaves](/sql/relational-databases/security/tutorial-always-encrypted-enclaves-develop-net-framework-apps) +- [Tutorial: Creating and using indexes on enclave-enabled columns using randomized encryption](/sql/relational-databases/security/tutorial-creating-using-indexes-on-enclave-enabled-columns-using-randomized-encryption) ## See Also -- [Configure and use Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/configure-always-encrypted-enclaves) \ No newline at end of file +- [Configure and use Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/configure-always-encrypted-enclaves) \ No newline at end of file diff --git a/azure-sql/database/always-encrypted-enclaves-plan.md b/azure-sql/database/always-encrypted-enclaves-plan.md index 1c22249b663..89de7447916 100644 --- a/azure-sql/database/always-encrypted-enclaves-plan.md +++ b/azure-sql/database/always-encrypted-enclaves-plan.md @@ -19,7 +19,7 @@ ms.date: 01/15/2021 > [!NOTE] > Always Encrypted with secure enclaves for Azure SQL Database is currently in **public preview**. -[Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database uses [Intel Software Guard Extensions (Intel SGX)](https://itpeernetwork.intel.com/microsoft-azure-confidential-computing/) enclaves and requires [Microsoft Azure Attestation](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves#secure-enclave-attestation). +[Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database uses [Intel Software Guard Extensions (Intel SGX)](https://itpeernetwork.intel.com/microsoft-azure-confidential-computing/) enclaves and requires [Microsoft Azure Attestation](/sql/relational-databases/security/encryption/always-encrypted-enclaves#secure-enclave-attestation). ## Plan for Intel SGX in Azure SQL Database diff --git a/azure-sql/database/cost-management.md b/azure-sql/database/cost-management.md index 85eafca81e6..1a708c86e66 100644 --- a/azure-sql/database/cost-management.md +++ b/azure-sql/database/cost-management.md @@ -19,7 +19,7 @@ This article describes how you plan for and manage costs for Azure SQL Database. Cost analysis supports most Azure account types, but not all of them. To view the full list of supported account types, see [Understand Cost Management data](../../cost-management-billing/costs/understand-cost-mgt-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). To view cost data, you need at least read access for an Azure account. -For information about assigning access to Azure Cost Management data, see [Assign access to data](../../cost-management/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). +For information about assigning access to Azure Cost Management data, see [Assign access to data](../../cost-management-billing/costs/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). ## SQL Database initial cost considerations @@ -75,7 +75,7 @@ To access this screen, select **Configure database** on the **Basics** tab of th -If your Azure subscription has a spending limit, Azure prevents you from spending over your credit amount. As you create and use Azure resources, your credits are used. When you reach your credit limit, the resources that you deployed are disabled for the rest of that billing period. You can't change your credit limit, but you can remove it. For more information about spending limits, see [Azure spending limit](https://docs.microsoft.com/azure/billing/billing-spending-limit). +If your Azure subscription has a spending limit, Azure prevents you from spending over your credit amount. As you create and use Azure resources, your credits are used. When you reach your credit limit, the resources that you deployed are disabled for the rest of that billing period. You can't change your credit limit, but you can remove it. For more information about spending limits, see [Azure spending limit](../../cost-management-billing/manage/spending-limit.md). ## Monitor costs @@ -87,13 +87,13 @@ As you start using Azure SQL Database, you can see the estimated costs in the po :::image type="content" source="media/cost-management/cost-analysis.png" alt-text="Example showing accumulated costs in the Azure portal"::: -From here, you can explore costs on your own. For more and information about the different cost analysis settings, see [Start analyzing costs](../../cost-management/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). +From here, you can explore costs on your own. For more and information about the different cost analysis settings, see [Start analyzing costs](../../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). ## Create budgets -You can create [budgets](../../cost-management/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../../cost-management/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy. +You can create [budgets](../../cost-management-billing/costs/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy. Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you additional money. For more about the filter options when you when create a budget, see [Group and filter options](../../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). @@ -113,5 +113,5 @@ Save money by committing to a reservation for compute resources for one to three - Learn [how to optimize your cloud investment with Azure Cost Management](../../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Learn more about managing costs with [cost analysis](../../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). -- Learn about how to [prevent unexpected costs](../../cost-management-billing/manage/getting-started.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). -- Take the [Cost Management](https://docs.microsoft.com/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course. +- Learn about how to [prevent unexpected costs](../../cost-management-billing/cost-management-billing-overview.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). +- Take the [Cost Management](/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course. \ No newline at end of file diff --git a/azure-sql/database/database-import-export-azure-services-off.md b/azure-sql/database/database-import-export-azure-services-off.md index e416f299b1f..7fd7fb03b78 100644 --- a/azure-sql/database/database-import-export-azure-services-off.md +++ b/azure-sql/database/database-import-export-azure-services-off.md @@ -141,7 +141,7 @@ To achieve the best performance, use Azure Files. SqlPackage operates with the f To reduce cost, use Azure Blobs, which cost less than a premium Azure file share. However, it will require you to copy the [.BACPAC file](/sql/relational-databases/data-tier-applications/data-tier-applications#bacpac) between the the blob and the local file system before the import or export operation. As a result the process will take longer. -To upload or download .BACPAC files, see [Transfer data with AzCopy and Blob storage](../../storage/common/storage-use-azcopy-blobs.md), and [Transfer data with AzCopy and file storage](../../storage/common/storage-use-azcopy-files.md). +To upload or download .BACPAC files, see [Transfer data with AzCopy and Blob storage](../../storage/common/storage-use-azcopy-v10.md#transfer-datatransfer-data), and [Transfer data with AzCopy and file storage](../../storage/common/storage-use-azcopy-files.md). Depending on your environment, you might need to [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md). diff --git a/azure-sql/database/elastic-pool-overview.md b/azure-sql/database/elastic-pool-overview.md index 69045c7d961..2932823559b 100644 --- a/azure-sql/database/elastic-pool-overview.md +++ b/azure-sql/database/elastic-pool-overview.md @@ -150,7 +150,7 @@ When you have completed configuring the pool, you can click 'Apply', name the po In the Azure portal, you can monitor the utilization of an elastic pool and the databases within that pool. You can also make a set of changes to your elastic pool and submit all changes at the same time. These changes include adding or removing databases, changing your elastic pool settings, or changing your database settings. -You can use the built-in [performance monitoring](https://docs.microsoft.com/azure/azure-sql/database/performance-guidance) and [alerting tools](https://docs.microsoft.com/azure/azure-sql/database/alerts-insights-configure-portal), combined with performance ratings. Additionally, SQL Database can [emit metrics and resource logs](https://docs.microsoft.com/azure/azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure?tabs=azure-portal) for easier monitoring. +You can use the built-in [performance monitoring](./performance-guidance.md) and [alerting tools](./alerts-insights-configure-portal.md), combined with performance ratings. Additionally, SQL Database can [emit metrics and resource logs](./metrics-diagnostic-telemetry-logging-streaming-export-configure.md?tabs=azure-portal) for easier monitoring. ## Customer case studies @@ -172,4 +172,4 @@ You can use the built-in [performance monitoring](https://docs.microsoft.com/azu - To scale elastic pools, see [Scaling elastic pools](elastic-pool-scale.md) and [Scale an elastic pool - sample code](scripts/monitor-and-scale-pool-powershell.md) - To learn more about design patterns for SaaS applications using elastic pools, see [Design Patterns for Multi-tenant SaaS Applications with Azure SQL Database](saas-tenancy-app-design-patterns.md). - For a SaaS tutorial using elastic pools, see [Introduction to the Wingtip SaaS application](saas-dbpertenant-wingtip-app-overview.md). -- To learn about resource management in elastic pools with many databases, see [Resource management in dense elastic pools](elastic-pool-resource-management.md). +- To learn about resource management in elastic pools with many databases, see [Resource management in dense elastic pools](elastic-pool-resource-management.md). \ No newline at end of file diff --git a/azure-sql/database/service-tiers-vcore.md b/azure-sql/database/service-tiers-vcore.md index bc4a2320306..36dd8c1201f 100644 --- a/azure-sql/database/service-tiers-vcore.md +++ b/azure-sql/database/service-tiers-vcore.md @@ -100,7 +100,7 @@ To enable M-series hardware for a subscription and region, a support request mus > DC-series is currently in **public preview**. - DC-series hardware uses Intel processors with Software Guard Extensions (Intel SGX) technology. -- DC-series is required for [Always Encrypted with secure enclaves](https://docs.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-enclaves), which is not supported with other hardware configurations. +- DC-series is required for [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves), which is not supported with other hardware configurations. - DC-series is designed for workloads that process sensitive data and demand confidential query processing capabilities, provided by Always Encrypted with secure enclaves. - DC-series hardware provides balanced compute and memory resources. diff --git a/azure-sql/database/sql-database-vulnerability-assessment-rules.md b/azure-sql/database/sql-database-vulnerability-assessment-rules.md index f91827d19e5..c300f542634 100644 --- a/azure-sql/database/sql-database-vulnerability-assessment-rules.md +++ b/azure-sql/database/sql-database-vulnerability-assessment-rules.md @@ -92,7 +92,7 @@ SQL Vulnerability Assessment rules have five categories, which are in the follow |VA1265 |Auditing of both successful and failed login attempts for contained DB authentication should be enabled |Medium |SQL Server auditing configuration enables administrators to track users logging to SQL Server instances that they're responsible for. This rule checks that auditing is enabled for both successful and failed login attempts for contained DB authentication. |SQL Server 2012+

SQL Managed Instance | |VA1281 |All memberships for user-defined roles should be intended |Medium |User-defined roles are security principals defined by the user to group principals to easily manage permissions. Monitoring these roles is important to avoid having excessive permissions. Create a baseline that defines expected membership for each user-defined role. This rule checks whether all memberships for user-defined roles are as defined in the baseline. |SQL Server 2012+

SQL Managed Instance

SQL Database

Azure Synapse | |VA1283 |There should be at least 1 active audit in the system |Low |Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging events that occur on the Database Engine. The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. This rule checks that there is at least one active audit in the system. |SQL Server 2012+

SQL Managed Instance | -|VA2061 |Auditing should be enabled at the server level |High |Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. For more information, see [Azure SQL Auditing](https://docs.microsoft.com/azure/sql-database/sql-database-auditing). This rule checks that auditing is enabled. |SQL Database

Azure Synapse | +|VA2061 |Auditing should be enabled at the server level |High |Azure SQL Database Auditing tracks database events and writes them to an audit log in your Azure storage account. Auditing helps you understand database activity and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations as well as helps you meet regulatory compliance. For more information, see [Azure SQL Auditing](./auditing-overview.md). This rule checks that auditing is enabled. |SQL Database

Azure Synapse | ## Data Protection @@ -107,7 +107,7 @@ SQL Vulnerability Assessment rules have five categories, which are in the follow |VA1224 |Asymmetric keys' length should be at least 2048 bits |High |Database asymmetric keys are used in many encryption algorithms these keys need to be of enough length to secure the encrypted data this rule checks that all asymmetric keys stored in the database are of length of at least 2048 bits |SQL Server 2012

SQL Server 2014

SQL Database | |VA1279 |Force encryption should be enabled for TDS |High |When the Force Encryption option for the Database Engine is enabled all communications between client and server is encrypted regardless of whether the 'Encrypt connection' option (such as from SSMS) is checked or not. This rule checks that Force Encryption option is enabled. |SQL Server 2012+ | |VA1288 |Sensitive data columns should be classified |Medium |This rule checks if the scanned database has potentially sensitive data that has not been classified. |SQL Database | -|VA2060 |SQL Threat Detection should be enabled at the server level |Medium |SQL Threat Detection provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Azure Security Center, which includes clear investigation and remediation steps for the specific threat. For more information, please see [Configure threat detection](https://docs.microsoft.com/azure/sql-database/sql-database-threat-detection). This check verifies that SQL Threat Detection is enabled |
SQL Managed Instance

SQL Database

Azure Synapse | +|VA2060 |SQL Threat Detection should be enabled at the server level |Medium |SQL Threat Detection provides a layer of security that detects potential vulnerabilities and anomalous activity in databases such as SQL injection attacks and unusual behavior patterns. When a potential threat is detected Threat Detection sends an actionable real-time alert by email and in Azure Security Center, which includes clear investigation and remediation steps for the specific threat. For more information, please see [Configure threat detection](./threat-detection-configure.md). This check verifies that SQL Threat Detection is enabled |
SQL Managed Instance

SQL Database

Azure Synapse | ## Installation Updates and Patches @@ -140,10 +140,10 @@ SQL Vulnerability Assessment rules have five categories, which are in the follow |VA1256 |User CLR assemblies should not be defined in the database |High |CLR assemblies can be used to execute arbitrary code on SQL Server process. This rule checks that there are no user-defined CLR assemblies in the database. |SQL Server 2012+

SQL Managed Instance | |VA1277 |Polybase network encryption should be enabled |High |PolyBase is a technology that accesses and combines both non-relational and relational data all from within SQL Server. Polybase network encryption option configures SQL Server to encrypt control and data channels when using Polybase. This rule verifies that this option is enabled. |SQL Server 2016+ | |VA1278 |Create a baseline of External Key Management Providers |Medium |The SQL Server Extensible Key Management (EKM) enables third-party EKM / Hardware Security Modules (HSM) vendors to register their modules in SQL Server. When registered SQL Server users can use the encryption keys stored on EKM modules,this rule displays a list of EKM providers being used in the system. |SQL Server 2012+

SQL Managed Instance | -|VA2062 |Database-level firewall rules should not grant excessive access |High |The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure). This check verifies that database-level firewall rules do not grant access to more than 255 IP addresses. |SQL Database

Azure Synapse | -|VA2063 |Server-level firewall rules should not grant excessive access |High |The Azure SQL server-level firewall helps protect your server by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can only be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure). This check verifies that server-level firewall rules do not grant access to more than 255 IP addresses. |SQL Database

Azure Synapse | -|VA2064 |Database-level firewall rules should be tracked and maintained at a strict minimum |High |The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure). This check enumerates all the database-level firewall rules so that any changes made to them can be identified and addressed. |SQL Database

Azure Synapse | -|VA2065 |Server-level firewall rules should be tracked and maintained at a strict minimum |High |The Azure SQL server-level firewall helps protect your data by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](https://docs.microsoft.com/azure/sql-database/sql-database-firewall-configure). This check enumerates all the server-level firewall rules so that any changes made to them can be identified and addressed. |SQL Database

Azure Synapse | +|VA2062 |Database-level firewall rules should not grant excessive access |High |The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](./firewall-configure.md). This check verifies that database-level firewall rules do not grant access to more than 255 IP addresses. |SQL Database

Azure Synapse | +|VA2063 |Server-level firewall rules should not grant excessive access |High |The Azure SQL server-level firewall helps protect your server by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can only be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](./firewall-configure.md). This check verifies that server-level firewall rules do not grant access to more than 255 IP addresses. |SQL Database

Azure Synapse | +|VA2064 |Database-level firewall rules should be tracked and maintained at a strict minimum |High |The Azure SQL Database-level firewall helps protect your data by preventing all access to your database until you specify which IP addresses have permission. Database-level firewall rules grant access to the specific database based on the originating IP address of each request. Database-level firewall rules for master and user databases can only be created and managed through Transact-SQL (unlike server-level firewall rules, which can also be created and managed using the Azure portal or PowerShell). For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](./firewall-configure.md). This check enumerates all the database-level firewall rules so that any changes made to them can be identified and addressed. |SQL Database

Azure Synapse | +|VA2065 |Server-level firewall rules should be tracked and maintained at a strict minimum |High |The Azure SQL server-level firewall helps protect your data by preventing all access to your databases until you specify which IP addresses have permission. Server-level firewall rules grant access to all databases that belong to the server based on the originating IP address of each request. Server-level firewall rules can be created and managed through Transact-SQL as well as through the Azure portal or PowerShell. For more information, see [Azure SQL Database and Azure Synapse Analytics IP firewall rules](./firewall-configure.md). This check enumerates all the server-level firewall rules so that any changes made to them can be identified and addressed. |SQL Database

Azure Synapse | |VA2111 |Sample databases should be removed |Low |Microsoft SQL Server comes shipped with several sample databases. This rule checks whether the sample databases have been removed. |SQL Server 2012+

SQL Managed Instance | |VA2120 |Features that may affect security should be disabled |High |SQL Server is capable of providing a wide range of features and services. Some of the features and services provided by default may not be necessary and enabling them could adversely affect the security of the system. This rule checks that these features are disabled. |SQL Server 2012+

SQL Managed Instance | |VA2121 | 'OLE Automation Procedures' feature should be disabled |High |SQL Server is capable of providing a wide range of features and services. Some of the features and services, provided by default, may not be necessary, and enabling them could adversely affect the security of the system. The OLE Automation Procedures option controls whether OLE Automation objects can be instantiated within Transact-SQL batches. These are extended stored procedures that allow SQL Server users to execute functions external to SQL Server. Regardless of its benefits it can also be used for exploits, and is known as a popular mechanism to plant files on the target machines. It is advised to use PowerShell as a replacement for this tool. This rule checks that 'OLE Automation Procedures' feature is disabled. |SQL Server 2012+

SQL Managed Instance | diff --git a/azure-sql/database/understand-resolve-blocking.md b/azure-sql/database/understand-resolve-blocking.md index b2f6172c17c..f8f4b414b80 100644 --- a/azure-sql/database/understand-resolve-blocking.md +++ b/azure-sql/database/understand-resolve-blocking.md @@ -344,7 +344,7 @@ The following scenarios will expand on these scenarios. After sending a query to the server, all applications must immediately fetch all result rows to completion. If an application does not fetch all result rows, locks can be left on the tables, blocking other users. If you are using an application that transparently submits SQL statements to the server, the application must fetch all result rows. If it does not (and if it cannot be configured to do so), you may be unable to resolve the blocking problem. To avoid the problem, you can restrict poorly behaved applications to a reporting or a decision-support database. > [!NOTE] - > See [guidance for retry logic](/azure/azure-sql/database/troubleshoot-common-connectivity-issues#retry-logic-for-transient-errors) for applications connecting to Azure SQL Database. + > See [guidance for retry logic](./troubleshoot-common-connectivity-issues.md#retry-logic-for-transient-errors) for applications connecting to Azure SQL Database. **Resolution**: The application must be rewritten to fetch all rows of the result to completion. This does not rule out the use of [OFFSET and FETCH in the ORDER BY clause](/sql/t-sql/queries/select-order-by-clause-transact-sql#using-offset-and-fetch-to-limit-the-rows-returned) of a query to perform server-side paging. @@ -383,4 +383,4 @@ The following scenarios will expand on these scenarios. * [Improve Azure SQL Database Performance with Automatic Tuning](https://channel9.msdn.com/Shows/Azure-Friday/Improve-Azure-SQL-Database-Performance-with-Automatic-Tuning) * [Deliver consistent performance with Azure SQL](/learn/modules/azure-sql-performance/) * [Troubleshooting connectivity issues and other errors with Azure SQL Database and Azure SQL Managed Instance](troubleshoot-common-errors-issues.md) -* [Transient Fault Handling](/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/transient-fault-handling) +* [Transient Fault Handling](/aspnet/aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/transient-fault-handling) \ No newline at end of file diff --git a/azure-sql/managed-instance/connect-application-instance.md b/azure-sql/managed-instance/connect-application-instance.md index 1c8dd417848..305ea403cf2 100644 --- a/azure-sql/managed-instance/connect-application-instance.md +++ b/azure-sql/managed-instance/connect-application-instance.md @@ -51,7 +51,7 @@ You can also connect your on-premises application to SQL Managed Instance. SQL M There are two options for how to connect on-premises to an Azure virtual network: -- Site-to-site VPN connection ([Azure portal](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md), [PowerShell](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md), [Azure CLI](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.md)) +- Site-to-site VPN connection ([Azure portal](../../vpn-gateway/tutorial-site-to-site-portal.md), [PowerShell](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md), [Azure CLI](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.md)) - [Azure ExpressRoute](../../expressroute/expressroute-introduction.md) connection If you've established an on-premises to Azure connection successfully and you can't establish a connection to SQL Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as the 11000-11999 range of ports for redirection. diff --git a/azure-sql/managed-instance/connectivity-architecture-overview.md b/azure-sql/managed-instance/connectivity-architecture-overview.md index 612e8cd7afb..1036671042e 100644 --- a/azure-sql/managed-instance/connectivity-architecture-overview.md +++ b/azure-sql/managed-instance/connectivity-architecture-overview.md @@ -102,7 +102,7 @@ Deploy SQL Managed Instance in a dedicated subnet inside the virtual network. Th - **Sufficient IP addresses:** The SQL Managed Instance subnet must have at least 32 IP addresses. For more information, see [Determine the size of the subnet for SQL Managed Instance](vnet-subnet-determine-size.md). You can deploy managed instances in [the existing network](vnet-existing-add-subnet.md) after you configure it to satisfy [the networking requirements for SQL Managed Instance](#network-requirements). Otherwise, create a [new network and subnet](virtual-network-subnet-create-arm-template.md). > [!IMPORTANT] -> When you create a managed instance, a network intent policy is applied on the subnet to prevent noncompliant changes to networking setup. After the last instance is removed from the subnet, the network intent policy is also removed. Rules below are for the informational purposes only, and you should not deploy them using ARM template / PowerShell / CLI. If you want to use the latest official template you could always [retrieve it from the portal](https://docs.microsoft.com/azure/azure-resource-manager/templates/quickstart-create-templates-use-the-portal). +> When you create a managed instance, a network intent policy is applied on the subnet to prevent noncompliant changes to networking setup. After the last instance is removed from the subnet, the network intent policy is also removed. Rules below are for the informational purposes only, and you should not deploy them using ARM template / PowerShell / CLI. If you want to use the latest official template you could always [retrieve it from the portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md). ### Mandatory inbound security rules with service-aided subnet configuration @@ -323,4 +323,4 @@ The following virtual network features are currently *not supported* with SQL Ma - From the [Azure portal](instance-create-quickstart.md). - By using [PowerShell](scripts/create-configure-managed-instance-powershell.md). - By using [an Azure Resource Manager template](https://azure.microsoft.com/resources/templates/101-sqlmi-new-vnet/). - - By using [an Azure Resource Manager template (using JumpBox, with SSMS included)](https://azure.microsoft.com/resources/templates/201-sqlmi-new-vnet-w-jumpbox/). + - By using [an Azure Resource Manager template (using JumpBox, with SSMS included)](https://azure.microsoft.com/resources/templates/201-sqlmi-new-vnet-w-jumpbox/). \ No newline at end of file diff --git a/azure-sql/managed-instance/frequently-asked-questions-faq.md b/azure-sql/managed-instance/frequently-asked-questions-faq.md index 6aef03e5da8..3a12184fa29 100644 --- a/azure-sql/managed-instance/frequently-asked-questions-faq.md +++ b/azure-sql/managed-instance/frequently-asked-questions-faq.md @@ -333,7 +333,7 @@ Express Route circuit peering is the preferred way to do that. Global virtual ne > [!IMPORTANT] > [On 9/22/2020 we announced global virtual network peering for newly created virtual clusters](https://azure.microsoft.com/en-us/updates/global-virtual-network-peering-support-for-azure-sql-managed-instance-now-available/). That means that global virtual network peering is supported for SQL Managed Instances created in empty subnets after the announcement date, as well for all the subsequent managed instances created in those subnets. For all the other SQL Managed Instances peering support is limited to the networks in the same region due to the [constraints of global virtual network peering](../../virtual-network/virtual-network-manage-peering.md#requirements-and-constraints). See also the relevant section of the [Azure Virtual Networks frequently asked questions](../../virtual-network/virtual-networks-faq.md#what-are-the-constraints-related-to-global-vnet-peering-and-load-balancers) article for more details. -If Express Route circuit peering and global virtual network peering is not possible, the only other option is to create Site-to-Site VPN connection ([Azure portal](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md), [PowerShell](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md), [Azure CLI](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.md)). +If Express Route circuit peering and global virtual network peering is not possible, the only other option is to create Site-to-Site VPN connection ([Azure portal](../../vpn-gateway/tutorial-site-to-site-portal.md), [PowerShell](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md), [Azure CLI](../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.md)). ## Mitigate data exfiltration risks diff --git a/azure-sql/managed-instance/timezones-overview.md b/azure-sql/managed-instance/timezones-overview.md index d2b06fb34e9..6db64012b3a 100644 --- a/azure-sql/managed-instance/timezones-overview.md +++ b/azure-sql/managed-instance/timezones-overview.md @@ -26,7 +26,7 @@ T-SQL functions like [GETDATE()](/sql/t-sql/functions/getdate-transact-sql) or C A set of supported time zones is inherited from the underlying operating system of the managed instance. It's regularly updated to get new time zone definitions and reflect changes to the existing ones. -[Daylight saving time/time zone changes policy](https://aka.ms/time) guarantees historical accuracy from 2010 forward. +[Daylight saving time/time zone changes policy](/troubleshoot/windows-client/system-management-components/daylight-saving-time-help-support) guarantees historical accuracy from 2010 forward. A list with names of the supported time zones is exposed through the [sys.time_zone_info](/sql/relational-databases/system-catalog-views/sys-time-zone-info-transact-sql) system view. diff --git a/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md b/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md index 8e4b21ed3e6..2f95ef17c29 100644 --- a/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md +++ b/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview.md @@ -72,7 +72,7 @@ You can have a disaster recovery solution for your SQL Server databases in a hyb | Technology | Example Architectures | | --- | --- | | **Availability groups** |Some availability replicas running in Azure VMs and other replicas running on-premises for cross-site disaster recovery. The production site can be either on-premises or in an Azure datacenter.
![Availability groups](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-alwayson.png)
Because all availability replicas must be in the same failover cluster, the cluster must span both networks (a multi-subnet failover cluster). This configuration requires a VPN connection between Azure and the on-premises network.

For successful disaster recovery of your databases, you should also install a replica domain controller at the disaster recovery site.| -| **Database mirroring** |One partner running in an Azure VM and the other running on-premises for cross-site disaster recovery by using server certificates. Partners don't need to be in the same Active Directory domain, and no VPN connection is required.
![Database mirroring](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-dbmirroring.png)
Another database mirroring scenario involves one partner running in an Azure VM and the other running on-premises in the same Active Directory domain for cross-site disaster recovery. A [VPN connection between the Azure virtual network and the on-premises network](../../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md) is required.

For successful disaster recovery of your databases, you should also install a replica domain controller at the disaster recovery site. SQL Server database mirroring is not supported for SQL Server 2008 or SQL Server 2008 R2 on an Azure VM. | +| **Database mirroring** |One partner running in an Azure VM and the other running on-premises for cross-site disaster recovery by using server certificates. Partners don't need to be in the same Active Directory domain, and no VPN connection is required.
![Database mirroring](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-dbmirroring.png)
Another database mirroring scenario involves one partner running in an Azure VM and the other running on-premises in the same Active Directory domain for cross-site disaster recovery. A [VPN connection between the Azure virtual network and the on-premises network](../../../vpn-gateway/tutorial-site-to-site-portal.md) is required.

For successful disaster recovery of your databases, you should also install a replica domain controller at the disaster recovery site. SQL Server database mirroring is not supported for SQL Server 2008 or SQL Server 2008 R2 on an Azure VM. | | **Log shipping** |One server running in an Azure VM and the other running on-premises for cross-site disaster recovery. Log shipping depends on Windows file sharing, so a VPN connection between the Azure virtual network and the on-premises network is required.
![Log shipping](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-log-shipping.png)
For successful disaster recovery of your databases, you should also install a replica domain controller at the disaster recovery site. | | **Backup and restore with Azure Blob storage** |On-premises production databases backed up directly to Azure Blob storage for disaster recovery.
![Backup and restore](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-backup-restore.png)
For more information, see [Backup and restore for SQL Server on Azure Virtual Machines](../../../azure-sql/virtual-machines/windows/backup-restore.md). | | **Replicate and fail over SQL Server to Azure with Azure Site Recovery** |On-premises production SQL Server instance replicated directly to Azure Storage for disaster recovery.
![Replicate using Azure Site Recovery](./media/business-continuity-high-availability-disaster-recovery-hadr-overview/hybrid-dr-standalone-sqlserver-asr.png)
For more information, see [Protect SQL Server using SQL Server disaster recovery and Azure Site Recovery](../../../site-recovery/site-recovery-sql.md). | @@ -164,4 +164,4 @@ If you don't have the option to disable geo-replication on the storage account, ## Next steps -Decide if an [availability group](availability-group-overview.md) or a [failover cluster instance](failover-cluster-instance-overview.md) is the best business continuity solution for your business. Then review the [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery. +Decide if an [availability group](availability-group-overview.md) or a [failover cluster instance](failover-cluster-instance-overview.md) is the best business continuity solution for your business. Then review the [best practices](hadr-cluster-best-practices.md) for configuring your environment for high availability and disaster recovery. \ No newline at end of file diff --git a/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure.md b/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure.md index 75a15aea7bd..81d26d45b42 100644 --- a/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure.md +++ b/azure-sql/virtual-machines/windows/failover-cluster-instance-azure-shared-disks-manually-configure.md @@ -29,7 +29,7 @@ To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cl Before you complete the instructions in this article, you should already have: - An Azure subscription. Get started for [free](https://azure.microsoft.com/free/). -- [Two or more Windows Azure virtual machines](failover-cluster-instance-prepare-vm.md). [Availability sets](../../../virtual-machines/windows/tutorial-availability-sets.md) and [proximity placement groups](../../../virtual-machines/windows/co-location.md#proximity-placement-groups) (PPGs) supported for Premium SSD and [availability zones](../../../virtual-machines/windows/create-portal-availability-zone.md#confirm-zone-for-managed-disk-and-ip-address) are supported for Ultra Disks. If you use a PPG, all nodes must exist in the same group. +- [Two or more Windows Azure virtual machines](failover-cluster-instance-prepare-vm.md). [Availability sets](../../../virtual-machines/windows/tutorial-availability-sets.md) and [proximity placement groups](../../../virtual-machines/co-location.md#proximity-placement-groups) (PPGs) supported for Premium SSD and [availability zones](../../../virtual-machines/windows/create-portal-availability-zone.md#confirm-zone-for-managed-disk-and-ip-address) are supported for Ultra Disks. If you use a PPG, all nodes must exist in the same group. - An account that has permissions to create objects on both Azure virtual machines and in Active Directory. - The latest version of [PowerShell](/powershell/azure/install-az-ps). diff --git a/azure-sql/virtual-machines/windows/failover-cluster-instance-prepare-vm.md b/azure-sql/virtual-machines/windows/failover-cluster-instance-prepare-vm.md index 80b7454884a..15272ced82e 100644 --- a/azure-sql/virtual-machines/windows/failover-cluster-instance-prepare-vm.md +++ b/azure-sql/virtual-machines/windows/failover-cluster-instance-prepare-vm.md @@ -40,7 +40,7 @@ The configuration settings for your virtual machine vary depending on the storag ## Configure VM availability -The failover cluster feature requires virtual machines to be placed in an [availability set](../../../virtual-machines/linux/tutorial-availability-sets.md) or an [availability zone](../../../availability-zones/az-overview.md#availability-zones). If you choose availability sets, you can use [proximity placement groups](../../../virtual-machines/windows/co-location.md#proximity-placement-groups) to locate the VMs closer. In fact, proximity placement groups are a prerequisite for using Azure shared disks. +The failover cluster feature requires virtual machines to be placed in an [availability set](../../../virtual-machines/linux/tutorial-availability-sets.md) or an [availability zone](../../../availability-zones/az-overview.md#availability-zones). If you choose availability sets, you can use [proximity placement groups](../../../virtual-machines/co-location.md#proximity-placement-groups) to locate the VMs closer. In fact, proximity placement groups are a prerequisite for using Azure shared disks. Carefully select the VM availability option that matches your intended cluster configuration: @@ -135,4 +135,4 @@ To learn more, see an overview of [FCI with SQL Server on Azure VMs](failover-cl For additional information, see: - [Windows cluster technologies](/windows-server/failover-clustering/failover-clustering-overview) -- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server) +- [SQL Server failover cluster instances](/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server) \ No newline at end of file diff --git a/azure-sql/virtual-machines/windows/performance-guidelines-best-practices.md b/azure-sql/virtual-machines/windows/performance-guidelines-best-practices.md index 2926c03b1c5..0e6ef7f3ee7 100644 --- a/azure-sql/virtual-machines/windows/performance-guidelines-best-practices.md +++ b/azure-sql/virtual-machines/windows/performance-guidelines-best-practices.md @@ -37,7 +37,7 @@ The following is a quick checklist for optimal performance of SQL Server on Azur | Area | Optimizations | | --- | --- | -| [VM size](#vm-size-guidance) | - Use VM sizes with 4 or more vCPU like the [Standard_M8-4ms](/azure/virtual-machines/m-series), the [E4ds_v4](../../../virtual-machines/edv4-edsv4-series.md#edv4-series), or the [DS12_v2](../../../virtual-machines/dv2-dsv2-series-memory.md#dsv2-series-11-15) or higher.

- Use [memory optimized](../../../virtual-machines/sizes-memory.md) virtual machine sizes for the best performance of SQL Server workloads.

- The [DSv2 11-15](../../../virtual-machines/dv2-dsv2-series-memory.md), [Edsv4](../../../virtual-machines/edv4-edsv4-series.md) series, the [M-](/azure/virtual-machines/m-series), and the [Mv2-](../../../virtual-machines/mv2-series.md) series offer the optimal memory-to-vCore ratio required for OLTP workloads. Both M series VMs offer the highest memory-to-vCore ratio required for mission critical workloads and is also ideal for data warehouse workloads.

- A higher memory-to-vCore ratio may be required for mission critical and data warehouse workloads.

- Leverage the Azure Virtual Machine marketplace images as the SQL Server settings and storage options are configured for optimal SQL Server performance.

- Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.| +| [VM size](#vm-size-guidance) | - Use VM sizes with 4 or more vCPU like the [Standard_M8-4ms](../../../virtual-machines/m-series.md), the [E4ds_v4](../../../virtual-machines/edv4-edsv4-series.md#edv4-series), or the [DS12_v2](../../../virtual-machines/dv2-dsv2-series-memory.md#dsv2-series-11-15) or higher.

- Use [memory optimized](../../../virtual-machines/sizes-memory.md) virtual machine sizes for the best performance of SQL Server workloads.

- The [DSv2 11-15](../../../virtual-machines/dv2-dsv2-series-memory.md), [Edsv4](../../../virtual-machines/edv4-edsv4-series.md) series, the [M-](../../../virtual-machines/m-series.md), and the [Mv2-](../../../virtual-machines/mv2-series.md) series offer the optimal memory-to-vCore ratio required for OLTP workloads. Both M series VMs offer the highest memory-to-vCore ratio required for mission critical workloads and is also ideal for data warehouse workloads.

- A higher memory-to-vCore ratio may be required for mission critical and data warehouse workloads.

- Leverage the Azure Virtual Machine marketplace images as the SQL Server settings and storage options are configured for optimal SQL Server performance.

- Collect the target workload's performance characteristics and use them to determine the appropriate VM size for your business.| | [Storage](#storage-guidance) | - For detailed testing of SQL Server performance on Azure Virtual Machines with TPC-E and TPC_C benchmarks, refer to the blog [Optimize OLTP performance](https://techcommunity.microsoft.com/t5/SQL-Server/Optimize-OLTP-Performance-with-SQL-Server-on-Azure-VM/ba-p/916794).

- Use [premium SSDs](https://techcommunity.microsoft.com/t5/SQL-Server/Optimize-OLTP-Performance-with-SQL-Server-on-Azure-VM/ba-p/916794) for the best price/performance advantages. Configure [Read only cache](../../../virtual-machines/premium-storage-performance.md#disk-caching) for data files and no cache for the log file.

- Use [Ultra Disks](../../../virtual-machines/disks-types.md#ultra-disk) if less than 1-ms storage latencies are required by the workload. See [migrate to ultra disk](storage-migrate-to-ultradisk.md) to learn more.

- Collect the storage latency requirements for SQL Server data, log, and Temp DB files by [monitoring the application](../../../virtual-machines/premium-storage-performance.md#application-performance-requirements-checklist) before choosing the disk type. If < 1-ms storage latencies are required, then use Ultra Disks, otherwise use premium SSD. If low latencies are only required for the log file and not for data files, then [provision the Ultra Disk](../../../virtual-machines/disks-enable-ultra-ssd.md) at required IOPS and throughput levels only for the log File.

- Standard storage is only recommended for development and test purposes or for backup files and should not be used for production workloads.

- Keep the [storage account](../../../storage/common/storage-account-create.md) and SQL Server VM in the same region.

- Disable Azure [geo-redundant storage](../../../storage/common/storage-redundancy.md) (geo-replication) on the storage account. | | [Disks](#disks-guidance) | - Use a minimum of 2 [premium SSD disks](../../../virtual-machines/disks-types.md#premium-ssd) (1 for log file and 1 for data files).

- For workloads requiring < 1-ms IO latencies, enable write accelerator for M series and consider using Ultra SSD disks for Es and DS series.

- Enable [read only caching](../../../virtual-machines/premium-storage-performance.md#disk-caching) on the disk(s) hosting the data files.

- Add an additional 20% premium IOPS/throughput capacity than your workload requires when [configuring storage for SQL Server data, log, and TempDB files](storage-configuration.md)

- Avoid using operating system or temporary disks for database storage or logging.

- Do not enable caching on disk(s) hosting the log file. **Important**: Stop the SQL Server service when changing the cache settings for an Azure Virtual Machines disk.

- Stripe multiple Azure data disks to get increased storage throughput.

- Format with documented allocation sizes.

- Place TempDB on the local SSD `D:\` drive for mission critical SQL Server workloads (after choosing correct VM size). If you create the VM from the Azure portal or Azure quickstart templates and [place Temp DB on the Local Disk](https://techcommunity.microsoft.com/t5/SQL-Server/Announcing-Performance-Optimized-Storage-Configuration-for-SQL/ba-p/891583), then you do not need any further action; for all other cases follow the steps in the blog for [Using SSDs to store TempDB](https://cloudblogs.microsoft.com/sqlserver/2014/09/25/using-ssds-in-azure-vms-to-store-sql-server-TempDB-and-buffer-pool-extensions/) to prevent failures after restarts. If the capacity of the local drive is not enough for your Temp DB size, then place Temp DB on a storage pool [striped](../../../virtual-machines/premium-storage-performance.md) on premium SSD disks with [read-only caching](../../../virtual-machines/premium-storage-performance.md#disk-caching). | | [I/O](#io-guidance) |- Enable database page compression.

- Enable instant file initialization for data files.

- Limit autogrowth of the database.

- Disable autoshrink of the database.

- Move all databases to data disks, including system databases.

- Move SQL Server error log and trace file directories to data disks.

- Configure default backup and database file locations.

- [Enable locked pages in memory](/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows).

- Evaluate and apply the [latest cumulative updates](/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server) for the installed version of SQL Server. | @@ -77,11 +77,11 @@ The [memory optimized virtual machine sizes](../../../virtual-machines/sizes-mem #### M and Mv2 series -The [M-series](/azure/virtual-machines/m-series) offers vCore counts and memory for some of the largest SQL Server workloads. +The [M-series](../../../virtual-machines/m-series.md) offers vCore counts and memory for some of the largest SQL Server workloads. The [Mv2-series](../../../virtual-machines/mv2-series.md) has the highest vCore counts and memory and is recommended for mission critical and data warehouse workloads. Mv2-series instances are memory optimized VM sizes providing unparalleled computational performance to support large in-memory databases and workloads with a high memory-to-CPU ratio that is perfect for relational database servers, large caches, and in-memory analytics. -The [Standard_M64ms](/azure/virtual-machines/m-series) has a 28 memory-to-vCore ratio for example. +The [Standard_M64ms](../../../virtual-machines/m-series.md) has a 28 memory-to-vCore ratio for example. Some of the features of the M and Mv2-series attractive for SQL Server performance include [premium storage](../../../virtual-machines/premium-storage-performance.md) and [premium storage caching](../../../virtual-machines/premium-storage-performance.md#disk-caching) support, [ultra-disk](../../../virtual-machines/disks-enable-ultra-ssd.md) support, and [write acceleration](../../../virtual-machines/how-to-enable-write-accelerator.md). @@ -187,7 +187,7 @@ The vCPU count can be constrained to one-half to one-quarter of the original VM These new VM sizes have a suffix that specifies the number of active vCPUs to make them easier to identify. -For example, the [M64-32ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 32 SQL Server vCores with the memory, IO, and throughput of the [M64ms](/azure/virtual-machines/m-series) and the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 16 vCores. Though while the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) has a quarter of the SQL Server licensing cost of the M64ms, the compute cost of the virtual machine will be the same. +For example, the [M64-32ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 32 SQL Server vCores with the memory, IO, and throughput of the [M64ms](../../../virtual-machines/m-series.md) and the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) requires licensing only 16 vCores. Though while the [M64-16ms](../../../virtual-machines/constrained-vcpu.md) has a quarter of the SQL Server licensing cost of the M64ms, the compute cost of the virtual machine will be the same. > [!NOTE] > - Medium to large data warehouse workloads may still benefit from [constrained vCore VMs](../../../virtual-machines/constrained-vcpu.md), but data warehouse workloads are commonly characterized by fewer users and processes addressing larger amounts of data through query plans that run in parallel. @@ -407,4 +407,4 @@ The following PerfMon counters can help validate the compute health of a SQL Ser For security best practices, see [Security considerations for SQL Server on Azure Virtual Machines](security-considerations-best-practices.md). -Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md). +Review other SQL Server Virtual Machine articles at [SQL Server on Azure Virtual Machines Overview](sql-server-on-azure-vm-iaas-what-is-overview.md). If you have questions about SQL Server virtual machines, see the [Frequently Asked Questions](frequently-asked-questions-faq.md). \ No newline at end of file diff --git a/azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md b/azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md index c4ca5dda977..18d14863acd 100644 --- a/azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md +++ b/azure-sql/virtual-machines/windows/ways-to-connect-to-sql.md @@ -78,7 +78,7 @@ When you choose **Private** for the **SQL connectivity** type in the portal, Azu > [!IMPORTANT] > The virtual machine images for the SQL Server Developer and Express editions do not automatically enable the TCP/IP protocol. For Developer and Express editions, you must use SQL Server Configuration Manager to [manually enable the TCP/IP protocol](#manualtcp) after creating the VM. -Private connectivity is often used in conjunction with a [virtual network](../../../virtual-network/virtual-networks-overview.md), which enables several scenarios. You can connect VMs in the same virtual network, even if those VMs exist in different resource groups. And with a [site-to-site VPN](../../../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md), you can create a hybrid architecture that connects VMs with on-premises networks and machines. +Private connectivity is often used in conjunction with a [virtual network](../../../virtual-network/virtual-networks-overview.md), which enables several scenarios. You can connect VMs in the same virtual network, even if those VMs exist in different resource groups. And with a [site-to-site VPN](../../../vpn-gateway/tutorial-site-to-site-portal.md), you can create a hybrid architecture that connects VMs with on-premises networks and machines. Virtual networks also enable you to join your Azure VMs to a domain. This is the only way to use Windows authentication to SQL Server. The other connection scenarios require SQL authentication with user names and passwords.