1. SQL Azure provides a relational database as a service using a familiar SQL Server model that is built for the cloud with high availability and scale.
2. Provisioning of servers and databases in SQL Azure is coordinated across nodes and datacenters to create the resources and update metadata.
3. The SQL Azure architecture uses gateways, load balancers, and replication to provide transparent failover and ensure service resilience during operations like login and active sessions.
4. SQL Azure monitors service health and collects metrics to detect and address issues proactively through automated diagnostics and alerts. Security features like encryption, firewalls, and authentication help mitigate attack vectors.
1. Ing. Eduardo Castro, PhD
Comunidad Windows
ecastro@grupoasesor.net
http://ecastrom.blogspot.com
2. Service Review
SQL Azure Architecture & Workflows
Service Resilience
Service Monitoring
Attack Vectors/Security considerations
Wrap up
3.
4. An illustration
.NET Services
Applications SQL Azure
Windows Azure
Applications
Windows Windows Windows Others
Server Vista/XP Mobile
5. Subscription
Used to map service usage to the billing instrument
Users may have many subscriptions
Logical Server
Akin to SQL Server Instance
Unit of Geo-Location & Billing
1:1 Subscription & server
User Database
Restricted T-SQL surface area
Additional catalog views provided e.g.
sys.billing, sys.firewall_rules, etc
6. A relational DB in the cloud
SQL Azure Database
Data Hub
Others (Future)
.NET Services
SQL Services
Applications
Relational database as a service
Live Services
Windows Azure
Highly available, automatically maintained
Extension of the SQL Server Data Platform
Applications
Windows Windows Windows Others
Server Vista/XP Mobile
7. Reference Data Sync
Data
Symmetric Programming Model Data Hub Aggregation
• Initial services – core RDBMS capabilities with SQL Azure Database,
Data Sync
• Future Offerings
• Additional data platform capabilities: Reporting, BI
• New services: Reference Data
8. Clear Feedback: “I want a database in the Cloud”
Familiar SQL Server relational model
Uses existing APIs & tools
Built for the Cloud with availability and scale
Accessible to all from PHP, Ruby, and Java
Focus on combining the best features of SQL Server
running at scale with low friction
9. Application Application Application
Browser Browser
ODBC, OLEDB,
Application Application
REST Client REST Client SQL Client* ADO.Net PHP,
Ruby, …
Cloud Cloud
Evolves
HTTP+REST
HTTP+REST
HTTP
HTTP
TDS
Windows Azure Windows Azure
Data Center
Data Center
Web App REST (Astoria) Web App
REST Client ADO.Net + EF SQL Client*
REST/SOAP + ACE Model TDS + TSQL Model
SDS Current SDS Next
* Client access enabled using TDS for ODBC,
ADO.Net, OLEDB, PHP-SQL, Ruby, …
10. Applications use standard SQL client libraries:
ODBC, ADO.Net, PHP, …
Application
Internet
Azure
Cloud
TDS (tcp)
Security Boundary
Load balancer forwards „sticky‟ sessions to TDS
LB protocol tier
TDS (tcp)
Gateway Gateway Gateway Gateway Gateway Gateway
Gateway: TDS protocol gateway, enforces AUTHN/AUTHZ policy; proxy to CloudDB
TDS (tcp)
L SQL SQL SQL SQL
Scalability and Availability: Fabric, Failover, Replication, and Load balancing
11. TDS Listener
Capability negotiation
TDS Packet inspection
Security
Logical->Physical mapping via metadata
catalog
Enabler for multi-tenet capabilities
Isolation layer
12. Gateway Process
AdminSvc
TDS Endpoint Provisioning Endpoint
Endpoint
Protocol Parser
Business Logic Services
Connection Mgmt
L SQL SQL SQL SQL
Scalability and Availability: Fabric, Failover, Replication, and Load balancing
13. Subscription
Coordinated across all Azure services
Executed in parallel w/retries
Server
May occur between data centers
Point where Geo-location is established
Database
Always occurs within a single data center
Cross node operations executed during this
process e.g. add new db to sys.databases on the
master
14. Driven by administrator Portal
Provision request is sent to Gateway
Metadata catalog entry created
DNS record (CNAME) created within
LiveDNS service
Master DB created
On completion metadata catalog
updated
15. Live DNS Cluster
Customer Live DNS
Browser Svc
1
Datacenter (Sub-Region) 5
Portal LB Gateway LB
2
4
3 6
Front-end Node Front-end Node Front-end Node Front-end Node
Admin Portal Admin Portal Gateway Gateway
7
Backend Node Backend Node Backend Node
SQL Server SQL Server SQL Server
Mgmt. Mgmt. Mgmt.
Services Fabric Services Fabric Services
Fabric
16. Gateway performs stateful TDS packet inspection
Picks out subset of messages
Parses out args for create database
Makes entry into Gateway metadata catalog
Unused replica set located and reserved
Replica set (UserDB) is prepped for use
Metadata catalog is updated
17. 1
TDS Gateway
Front-end Node
TDS Session Protocol Parser
2
3
Gateway Logic
Master Cluster
Master Node
4
Master Node
Components
7
5 8 6
Backend Node 1 Backend Node 2 Backend Node 3
SQL Instance SQL Instance SQL Instance
SQL DB SQL DB SQL DB
Scalability and and Availability: Fabric,Failover,Replication, and Load balancing
Scalability Availability: Fabric, Failover, Replication, and Load balancing
18. Login request arrives at the Gateway
Gateway locates MasterDb & UserDb
replica sets
Credentials are validated against MasterDb
TDS session is opened to UserDB and
requests are forwarded
19. 7
1
TDS Gateway
Front-end Node
TDS Session Protocol Parser
6 2
Gateway Logic
Global Partition Map
Master Node
8 3
Master Node
Components
4 5
Backend Node 1 Backend Node 2 Backend Node 3
SQL Instance SQL Instance SQL Instance
SQL DB SQL DB SQL DB
Scalability and and Availability: Fabric,Failover,Replication, and Load balancing
Scalability Availability: Fabric, Failover, Replication, and Load balancing
20. Provisioning
State machines used to coordinate activities
across node (and datacenter) boundaries
Failed provisioning attempts cleaned automatically
after 10 minutes
Login
Failovers during the login will be transparent (<30
seconds)
Metadata catalog refresh occurs automatically
Active Session
Surface as connection drops (due to state)
21. Metrics
Cluster wide performance counters gather key metrics on
the service
Used to alert Operations to issues before they become a
problem
Early warning system
Code issues
Capacity warnings
Health
Exercises the service routinely looking for problems
When issues are encountered runs deep diagnostics
Network connectivity at the node level
Validate all dependent services (Live DNS, Live ID, etc)
Monitoring from other MSFT DC‟s
Validates accessibility from multiple geographic locations
Alerts fired automatically when test jobs fail
22. Service
Secure channel required (SSL)
Denial Of Service trend tracking
Packet Inspection
Server
IP allow list (Firewall)
Idle connection culling
Generated server names
Database
Disallow the most commonly attacked user id‟s
(SA, Admin, root, guest, etc)
Standard SQL Authn/Authz mode
23. Reviewed SQL Azure Architecture &
Workflows
Provisioning (Server & DB)
Login
Service Resilience & Health
Failure detection and correction
How we determine service health
Security considerations
Attack vectors and mitigations
Questions?