Securing the SQL DR lab environment
This article is a part of a series which describes the implementation steps I used to implement a SQL Server DR scenario on Azure based on AlwaysOn Availability Groups.
Other parts are available here:
| Environment implementation |
| Securing lab environment |
| Create an automation runbook to force a SQL Server AVG failover |
As you may have noticed deploying the lab environment, access to VMs is gained via RDP connection on domain controllers public IPs.
In my opinion this approach can be enough for a lab environment if secured in some way via Network Security Groups; for a production environment it’s safer to create a dedicated VM on a DMZ subnet, to be used as a bridge machine which connect you to internal subnet ones, and segregate its connectivity via subnet level NSG.
I didn’t include NSG provisioning in JSON nor in PowerShell post deployment script, so let’s take care of our lab scenario adding them from the Azure Portal.
Let’s see the steps needed to implement a Network Security Group at NIC level, which grant access via RDP to a specific remote endpoint. You must implement one NSG for each region, since it can be mapped only to NICs deployed on the same region.
Connect to the Azure Portal, and create a new Network Security Group inside you existing resource group:
Assign a name to the new NSG and start the deployment clicking on the Create button:
Once deployed, choose it from your resources list and from its properties tab select then Inbound Security Rules section. Add a new security rule:
Define a new rule for RDP protocol, authoring your source IP address range (/32 notation authorize a single IP address):
Save the rule created before, and apply the NSG to the NIC associated to DC:
Now you can just test it!
0 Comments