{"id":93304,"date":"2022-02-07T21:14:59","date_gmt":"2022-02-07T21:14:59","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=93304"},"modified":"2022-02-07T21:14:59","modified_gmt":"2022-02-07T21:14:59","slug":"eight-azure-sql-configurations-you-may-have-missed","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/cloud\/azure\/eight-azure-sql-configurations-you-may-have-missed\/","title":{"rendered":"Eight Azure SQL configurations you may have missed"},"content":{"rendered":"<p>Azure SQL Database is Microsoft\u2019s Platform as a service (PaaS) offering for SQL Server. It eliminates hardware, virtual machine, and operating system management and has automatic tuning, high availability, auto-scale capabilities, high-performance options, and much more. It\u2019s easy to create an Azure SQL Server Database, but you may not know about best practices and some of the newer features. This article covers some of the essential configurations of <em>Azure SQL<\/em> you should be aware of. It explains some of the configurations or leaves you with links explaining the details of the more complex configurations.<\/p>\n<p>These are the items covered in this article:<\/p>\n<ul>\n<li><a href=\"#serverless\">Serverless is more than auto-pause<\/a><\/li>\n<li><a href=\"#azureservices\">You should not enable access to Azure Services on the Firewall<\/a><\/li>\n<li><a href=\"#databasefirewall\">You should not open firewall rules on the portal for database users<\/a><\/li>\n<li><a href=\"#secondarynode\">The secondary node is accessible on Business and Premium tiers<\/a><\/li>\n<li><a href=\"#routing\">Your Azure applications should not route packages through the public network<\/a><\/li>\n<li><a href=\"#firewall\">You can dismiss the firewall all together<\/a><\/li>\n<li><a href=\"#standard\">You should avoid SQL Standard security<\/a><\/li>\n<li><a href=\"#RSCI\">RCSI configuration ON by default<\/a><\/li>\n<\/ul>\n<h2>Once upon a time<\/h2>\n<p>Many of the items in this article are about Azure SQL Security. Years ago, before the cloud providers existed, organizations published sites from their own on-premises environments. Usually, an application server would be deployed in a virtual network called <em>DMZ<\/em>, protected by a firewall. This virtual network would be isolated from the rest of the company network by a second firewall, creating a level of isolation and making only the DMZ accessible from the internet.<\/p>\n<p>The SQL Server would be located inside the company network, outside the DMZ. The application server on the DMZ would be the only server which would have access to the SQL Server, creating a secure connection from the internet to the company data.<\/p>\n<p>Back when the technology was way more complex and difficult, we had all this security, so why would we think that provisioning an Azure SQL Database with a public endpoint in a cloud provider to be a good practice? Shouldn&#8217;t we change the defaults to make the security tighter like it was in the past?<\/p>\n<h2 id=\"serverless\">Serverless is more than auto-pause<\/h2>\n<p>The <em>Serverless<\/em> option in Azure SQL is well-known for the ability to pause the service when it&#8217;s not being used.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"863\" height=\"151\" class=\"wp-image-93305\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-auto-pause-delay-of-azure-sql.png\" alt=\"An image showing the auto-pause delay of Azure SQL Database serverless.\" \/><\/p>\n<p>However, this ability has many drawbacks:<\/p>\n<ul>\n<li>There is no way to trigger the pause. As a result, the pause will only happen after the server stays without any request for the entire time of the auto-pause delay. The auto-pause delay has the minimum value of 1 hour<\/li>\n<li>Several Azure features, such as <em>Azure SQL Defender<\/em>, will make calls to the serverless instance and prevent the serverless from getting into pause.<\/li>\n<li>Several features such as long-term backup retention and elastic jobs are not compatible with auto-pause.<\/li>\n<li>The serverless feature can be implemented only on the <em>vCore<\/em> mode. At the time of this writing, the cheapest <em>DTU<\/em> mode you can provision is \u20ac 5,00\/Month. The most affordable <em>vCore<\/em> mode you can implement is \u20ac200\/Month, besides the serverless, of course. The vCore cost of a serverless implementation is also a bit more expensive than other provisioning modes.<\/li>\n<\/ul>\n<p>All these details will make the auto-pause benefits limited, however, there is one additional configuration: The serverless provisioning is a flexible vCore model, and you can establishing a minimum and maximum vCore amount for the server. In fact, this configuration is enabled by default when you choose the Serverless provisioning.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"893\" height=\"165\" class=\"wp-image-93306\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-max-and-min-vcores-configurat.png\" alt=\"An image showing the Max and Min vCores configuration of serverless\" \/><\/p>\n<p>By doing so, the Azure SQL will have a flexible charge based on the number of vCores actually used between the minimum and maximum established. You can even leave the auto-pause turned on if you want to do so. Auto-scaling is a benefit not available to any other provisioning model.<\/p>\n<p>The image below shows an example of this. The subscription is always charged for minimum number of vCores (assuming that auto-pause is disabled) or the number of vCores used, saving money when the maximum number of vCores is not being used.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1232\" height=\"886\" class=\"wp-image-93307\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-cpu-active-inactive-and-paus.png\" alt=\"An image showing the CPU active, inactive and paused time periods of serverless.\" \/><\/p>\n<p>(Image from <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/serverless-tier-overview\">Serverless compute tier &#8211; Azure SQL Database | Microsoft Docs<\/a>)<\/p>\n<p>Being able to scale up and scale down according to workload makes Serverless an attractive option when choosing your provisioning model. If you choose vCores, then you should consider Serverless with a minimum and maximum configuration.<\/p>\n<h2 id=\"azureservices\">You should not enable access to Azure Services on the Firewall<\/h2>\n<p>It&#8217;s easy and tempting to turn on the <em>Allow Azure services and resources to access this server <\/em>setting. You only need to enable it, and you will no longer have firewall problems with any Azure Service.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"404\" height=\"59\" class=\"wp-image-93308\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-allow-azure-services-and-res.png\" alt=\"An image showing the &quot;allow Azure services and resources to access this server&quot; setting.\" \/><\/p>\n<p>The problem is what most people ignore: The firewall will not be opened only to the services from your company. The firewall will be opened to any Azure services; it doesn&#8217;t matter to whom it belongs.<\/p>\n<p>One security layer will be completely removed from the Azure SQL when this option is enabled. Of course, you still have the authentication, but is this enough?<\/p>\n<h2 id=\"databasefirewall\">You should not open firewall rules on the portal for database users<\/h2>\n<p>The firewall configuration is a common need in Azure SQL configuration. However, many administrators ignore the fact there are two levels of firewall configuration: You can configure the firewall on the server level, or you can configure the firewall on the database level.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1224\" height=\"1312\" class=\"wp-image-93309\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-database-and-server-firewall-rule.png\" alt=\"An image showing database and server firewall rules.\" \/><\/p>\n<p>(Image from <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/firewall-configure#:~:text=Use%20Transact-SQL%20to%20manage%20IP%20firewall%20rules%20,IP%20f%20...%20%202%20more%20rows%20\">IP firewall rules &#8211; Azure SQL Database and Azure Synapse Analytics | Microsoft Docs<\/a>)<\/p>\n<p>This happens because the UI in the portal can only configure the firewall at the server level. The firewall configuration on the database level needs to be done using T-SQL.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"256\" height=\"103\" class=\"wp-image-93310\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-security-menu-options-includi.png\" alt=\"An image showing the Security menu options including Firewalls and virtual networks.\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"671\" height=\"348\" class=\"wp-image-93311\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-firewall-rules-for-a-server.png\" alt=\"An image showing the firewall rules for a server \" \/><\/p>\n<p>A basic security rule is always to set the minimum permissions needed by a user. If you open the firewall on the server level, you are not following this rule. A more secure way to open the firewall for database users is to open the firewall only for the database, not on the server level.<\/p>\n<p>The statements below may be useful.<\/p>\n<h3>Creating a database firewall rule<\/h3>\n<pre class=\"lang:tsql theme:ssms2012-simple-talk\">EXECUTE sp_set_database_firewall_rule N'Example DB Rule','0.0.0.4','0.0.0.4';<\/pre>\n<h3>Listing database firewall rules<\/h3>\n<pre class=\"lang:tsql theme:ssms2012-simple-talk\">select * from sys.database_firewall_rules<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"71\" class=\"wp-image-93312\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-results-the-query-to-find-fir.png\" alt=\"An image showing the results the query to find firewall rules\" \/><\/p>\n<h3>Delete a database firewall rule<\/h3>\n<pre class=\"lang:tsql theme:ssms2012-simple-talk\">EXECUTE sp_delete_database_firewall_rule N'Example DB Rule';<\/pre>\n<p>Once you adopt the practice of opening database firewall rules, the user connection needs to specify the database when connecting. Connections on the server level will not be accepted.<\/p>\n<p>Using <em>SSMS<\/em>, this configuration is not typical and can be found on the advanced connection settings.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"631\" height=\"639\" class=\"wp-image-93313\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-ssms-connecting-to-a-server-and-s.png\" alt=\"An image showing SSMS connecting to a server and specifying the database name.\" \/><\/p>\n<p>Application connection strings always contain the database name, so this is not a big difference.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/firewall-configure\">Azure SQL Database and Azure Synapse IP firewall rules<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/secure-database-tutorial\">Tutorial: Secure a database in Azure SQL Database<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/network-access-controls-overview\">Azure SQL Database and Azure Synapse Analytics network access controls<\/a><\/li>\n<\/ul>\n<h2 id=\"secondarynode\">The secondary server is accessible on Business and Premium tiers<\/h2>\n<p>The <em>Read Scale-Out<\/em> of the <em>Business<\/em> or <em>Premium<\/em> tiers is a recent feature, but it\u2019s quite interesting. It\u2019s straightforward to set when provisioning the database.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"201\" height=\"56\" class=\"wp-image-93314\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-read-scale-out-setting.png\" alt=\"An image showing the Read Scale-out setting\" \/><\/p>\n<p>Microsoft uses the <em>Always On<\/em> feature in these tiers to ensure high availability. The image below illustrates how the failover is automatically implemented.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1031\" height=\"785\" class=\"wp-image-93315\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-always-on-ag-notes-with-failo.png\" alt=\"An image showing the Always On AG notes with Failover from Primary to Secondary\" \/><\/p>\n<p>Enabling <em>Read Scale-Out<\/em> to the secondary servers makes it possible to create a balance for your applications. Applications that need to write data to the database will connect to the primary server, while applications only reading data will connect to the secondary server.<\/p>\n<p>This connection is defined by the connection string of the application. The application only needs to specify the parameter <em>ApplicationIntent<\/em> on the connection string. <em>ApplicationIntent<\/em> can be defined as <em>ReadOnly<\/em> or <em>ReadWrite<\/em>. This single parameter will define if the connection will be made with the primary or the secondary server.<\/p>\n<p>You can test this feature using SSMS: Using the Advanced Options you can set the <em>ApplicationIntent<\/em> parameter to one of these values, make the connection to the server and identify the server you are connected to.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"632\" height=\"635\" class=\"wp-image-93316\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-applicationintent-readonly.png\" alt=\"An image showing the ApplicationIntent = Readonly option in the Connection dialog\" \/><\/p>\n<p>The following query will allow you to identify if you are connected to the primary or secondary server:<\/p>\n<pre class=\"lang:tsql theme:ssms2012-simple-talk\">SELECT DATABASEPROPERTYEX(DB_NAME(), 'Updateability');<\/pre>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/read-scale-out\">Use read-only replicas to offload read-only query workloads<\/a><\/li>\n<\/ul>\n<h2 id=\"routing\">Your azure applications should not route packages through the public network<\/h2>\n<p>Your Azure SQL is inside Azure (is there a more obvious statement than this one?).<\/p>\n<p>If the applications which will access your Azure SQL are also inside Azure, the communication between both should happen entirely inside Azure. This means the network packages exchanged between the application and the Azure SQL should flow entirely inside the Microsoft Network, never through public network.<\/p>\n<p>Once again, it appears obvious, but this is not the default behaviour. If you only &#8220;establish the connection&#8221; in the simplest way, the connection will be done through the public internet.<\/p>\n<p>The best way to identify if the connection is done through Microsoft Network or through public internet is the firewall: If the connection is blocked by the firewall or you need to open the firewall for the source IP&#8217;s, then the connection is crossing the public internet. When the connection is configured to be go through the Microsoft Network, the IP configurations of the firewall will be bypassed.<\/p>\n<p>For example, if a virtual machine on Azure shows the screen of the image below when connecting to Azure SQL, this means the communication between both will happen using public Ips.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"635\" height=\"384\" class=\"wp-image-93317\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-new-firewall-rule-dialog.png\" alt=\"An image showing the New Firewall Rule dialog\" \/><\/p>\n<p>The steps to ensure the communication through the Microsoft Network are:<\/p>\n<ul>\n<li>You need a virtual network<\/li>\n<li>You need to ensure your application is being executed inside this virtual network<\/li>\n<li>Create a service endpoint between your Azure SQL and your virtual network<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"765\" height=\"280\" class=\"wp-image-93318\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-service-endpoints.png\" alt=\"An image showing the Service endpoints\" \/><\/p>\n<ul>\n<li>On the Azure SQL Server, include permission for the virtual network to access the server<\/li>\n<\/ul>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-network\/virtual-network-service-endpoints-overview\">Virtual Network Service Endpoints<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-sql\/database\/vnet-service-endpoint-rule-overview\">Use Virtual Network Service Endpoints and rules for servers in Azure SQL Database<\/a><\/li>\n<\/ul>\n<h3>Additional Details<\/h3>\n<p><strong>Your application is in a Virtual Machine:<\/strong> Virtual Machines already include a virtual network when they are provisioned, you only need to ensure the creation of the service link to your Azure SQL<\/p>\n<p><strong>PaaS:<\/strong> Each PaaS service in Azure has a different way to be included inside a virtual network. You need to verify the correct procedures for the PaaS you are using. However, this is a feature that may not be included on the lowest cost service levels available. That&#8217;s when you will need to decide to pay a bit more for the security or only ensure a good configuration of the firewall.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"570\" height=\"246\" class=\"wp-image-93319\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-configuration-for-the-outboun.png\" alt=\"An image showing the configuration for the Outbound Traffic\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"261\" class=\"wp-image-93320\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-options-for-configuring-netwo.png\" alt=\"An image showing the options for configuring networking for your app\" \/><\/p>\n<h2 id=\"firewall\">You can dismiss the Firewall all together<\/h2>\n<p>If you manage to configure all your applications to access Azure SQL from the Microsoft Network, either because the application is in the network or using network communication such as VPN connections, you can completely <em>Deny public network access<\/em> on Azure SQL.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"702\" height=\"351\" class=\"wp-image-93321\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-firewalls-and-virtual-network.png\" alt=\"AN image showing the Firewalls and virtual network for you server. Deny Public network access is highlighted.\" \/><\/p>\n<p>Once this change is complete, Azure SQL can only access the database from inside your company\u2019s virtual network on Azure or through VPN.<\/p>\n<p>The following configuration details are critical to this scenario:<\/p>\n<ul>\n<li>Service Endpoint doesn&#8217;t work because it&#8217;s intended to establish a route to a feature with public access enabled<\/li>\n<li>You need to create a Private Link on your virtual network<\/li>\n<li>Private Links are based on DNS zones. When a private link is created, a DNS Zone is created as well (except on custom scenarios).<\/li>\n<li>Peered virtual networks need to be configured to use the same DNS Zone for DNS resolution<\/li>\n<li>Gateway clients (such as VPN clients), need to be configured to redirect DNS resolutions to Azure DNS. This can be done in many ways.<\/li>\n<\/ul>\n<p>This configuration is similar to the one found on-premises: The database server will be completely private.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/private-link\/tutorial-private-endpoint-sql-portal\">Tutorial: Connect to an Azure SQL server using an Azure Private Endpoint &#8211; Azure portal<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/private-link\/private-endpoint-overview\">What is Azure Private Endpoint?<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/private-link\/private-endpoint-dns\">Azure Private Endpoint DNS configuration<\/a><\/li>\n<\/ul>\n<h2 id=\"standard\">You should avoid SQL Standard security<\/h2>\n<p>Although the SQL Standard authentication evolved a lot over the years, it&#8217;s still a simple login\/password authentication. Recently the Azure SQL team included features to allow limiting the authentication to Azure AD Authentication, preventing the use of SQL Standard Security.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"330\" class=\"wp-image-93322\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-where-to-require-azure-ad-authent.png\" alt=\"An image showing where to require Azure AD authentication only\" \/><\/p>\n<p>Besides the configuration itself, you can use policies to control the use of SQL Standard authentication and identify which servers have this configuration disabled, identifying which servers are not compliant with the company rules on an enterprise level.<\/p>\n<p>Here are some blogs I wrote about this subject:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/how-essential-are-azure-policies\/\">How Essential Are Azure Policies<\/a><\/li>\n<li><a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/azure-sql-tightening-the-security-using-integrated-authentication-only\/\">Azure SQL: Tightening the Security using Integrated Authentication only<\/a><\/li>\n<li><a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/azure-sql-enforcing-sql-authentication-type\/\">Azure SQL: Enforcing Azure AD Only Authentication<\/a><\/li>\n<\/ul>\n<h2 id=\"RSCI\">RCSI configuration is ON by default<\/h2>\n<p>SQL Server has many isolation levels to control the integrity of the data.<\/p>\n<p>However, in read-heavy applications, many developers have the terrible habit of using <em>NOLOCK<\/em> on all statements to avoid the contention of creating lock records on the server. The developers ignore the risk of incorrect results.<\/p>\n<p>Over the years, Microsoft created a solution for SQL Server: Two new isolation levels, <em>RCSI (Read Committed Snapshot Isolation) <\/em>and Snapshot Isolation; both also called optimistic isolation levels.<\/p>\n<p>RCSI is considered a special isolation level. It\u2019s different from the other isolation levels because RCSI is configured as a database property. There is no need to change the code. Every transaction that arrives on the server using Read Committed isolation (the default) is converted to Snapshot Isolation. I&#8217;m using quotes here because it&#8217;s not exactly Snapshot Isolation. RCSI has some differences from Snapshot Isolation, and that&#8217;s why they are considered two different isolation levels.<\/p>\n<p>The point is: Azure SQL uses RCSI by default. This is a big change for all existing applications. Any use of <code>NOLOCK<\/code> that you have in existing applications becomes useless and a problem for the application because it brings the usual issues of <code>NOLOCK<\/code> with no benefit, since the use of RCSI replaces all the possible benefits of <code>NOLOCK<\/code>.<\/p>\n<p>You can check this default on Azure SQL running the following query:<\/p>\n<pre class=\"lang:tsql theme:ssms2012-simple-talk\">select database_id,name,is_read_committed_snapshot_on\r\nfrom sys.databases<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"391\" height=\"93\" class=\"wp-image-93323\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2022\/02\/an-image-showing-the-results-of-checking-is_read_c.png\" alt=\"An image showing the results of checking is_read_committed_snapshot_on\" \/><\/p>\n<p>Migrating applications to Azure SQL and using RCSI are great opportunities to eliminate all <code>NOLOCKs<\/code> still found in your SQL code.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/framework\/data\/adonet\/sql\/snapshot-isolation-in-sql-server\">Snapshot Isolation in SQL Server<\/a><\/li>\n<li><a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/t-sql-programming-sql-server\/row-versioning-concurrency-in-sql-server\/\">Row Versioning Concurrency in SQL Server<\/a><\/li>\n<\/ul>\n<h2>Summary<\/h2>\n<p>It\u2019s very easy to start developing applications using Azure SQL. After the initial development, as this article illustrated, Azure SQL has some secrets to help you improve performance and security.<\/p>\n<p>Developers may need the assistance of Solution Architects for the most complex steps, such as virtual networks, DNS, VPN<strong>,<\/strong> and Private Endpoint configuration. This highlights how the cloud requires all roles working together, as it was in the past, with on-premises environments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azure SQL Database has been around for over ten years and is constantly evolving with new capabilities and options. Dennes Torres explains 8 features and best practices of Azure SQL Database.&hellip;<\/p>\n","protected":false},"author":50808,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[137091,53,143524],"tags":[126248],"coauthors":[6810],"class_list":["post-93304","post","type-post","status-publish","format-standard","hentry","category-azure","category-featured","category-sql-server","tag-azuremonitor"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/93304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/50808"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=93304"}],"version-history":[{"count":11,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/93304\/revisions"}],"predecessor-version":[{"id":93325,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/93304\/revisions\/93325"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=93304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=93304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=93304"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=93304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}