1. Home
  2. Training Library
  3. Cloud Migration
  4. Courses
  5. Implementing Azure SQL Databases

Security Database Services

Start course
1h 19m

This course explores how to plan and implement data platform resources specifically with regards to Azure SQL offerings. In particular, we will explore the benefits and features of the SQL PaaS offerings along with billing models, service tiers, and high availability options. We'll also cover migration scenarios and provide a demo that migrates a sample database from an on-premise SQL Server to an Azure SQL managed instance using DMS.

If you have any feedback relating to this course, feel free to contact us at support@cloudacademy.com.

Learning Objectives

  • Get a general understanding of Azure SQL databases
  • Learn how to deploy Azure SQL databases
  • Understand business continuity and security tie in with SQL databases
  • Learn how to scale, upgrade, and partition your databases
  • Learn how to migrate a database from an on-premise SQL Server to an Azure SQL instance

Intended Audience

  • Anyone who wants to learn about Azure SQL Offerings 
  • Those preparing for Microsoft’s DP-300 exam


To get the most out of this course, you have should a general understanding of the fundamentals of Microsoft Azure. Experience using databases — especially SQL Server — would also be beneficial.


Azure provides multiple layers of security, each dedicated to protecting different aspects of your database, but all working in unison to form a hardened protective shell. Network security is the outermost layer stopping uninvited users.

Access management enables you to specify who is allowed to access what data and what kind of access are permitted. Threat protection is a group of intelligent features that work to protect your data from known types of threats.

Information protection helps you to secure sensitive data from misuse or access by those who are not permitted to view all data. Network security will allow you to specify how your data is accessed. That is through a public IP address or privately via a virtual network.

Firewall rules can be set up at the server and database allowing you to grant access to specific IP addresses or address ranges.

Virtual network service endpoints, allow you to set up network security groups and restrict traffic based on predefined Azure tags. For example, the tech SQL represents Azure SQL database addresses while App Service is the tag for addresses in the Azure App Service domain.

Using network security groups, you can allow or deny access to resources or requests from a particular subnet.

Access management lets us leverage role-based access control to assign roles to users in much the same way as users are assigned to user groups. Within Azure SQL, we can use SQL authentication placing the user management burden on the server and database. Or Azure Active Directory authentication. Users are authenticated with AAD before allowing access to the database. Once authenticated, authorization specifies what actions are users permitted to carry out.

There are Azure roles like contributor, SQL contributor, and SQL security manager. While in the context of a database, there are predefined roles like DB owner, DB reader, and DB writer. You can create your own roles, give those roles permissions, and then assign users to the role. These roles combined with the ability to seek access permission on all database objects. gives the DBA a high degree of very fine control over what roles and by extension users, are permitted to access which information. 

Threat protection mechanisms analyze audit logs of database activity for suspicious behavior. Like SQL injection and brute force attacks. SQL auditing records database events to a log, either an Azure storage account, a log analytics workspace, or they can be sent to an event hub.

Logging database events can help with compliance and maintaining security standards. Once you enable threat detection, you can view anomalies and alerts in Azure Security Center.

Azure protection data while in transit and at rest. Transport Layer Security encrypts data while being transported from the server to client applications or other Azure resources. Transparent Data Encryption ensures data cannot be accessed from outside the database server. That is by reading the database files directly.

Encryption also applies to backup files. Transparent Data Encryption uses the AES algorithm. So it doesn't require any additional configuration by applications, administrators, developers or users. Dynamic data masking hides sensitive information like credit card data by masking it for non-privileged users.

Encryption keys are stored in Azure Key Vault protecting them from unauthorized access. You can use service generated keys or the option of managing your own keys. This brings us to the end of this section on securing your database.


Course Introduction - Azure SQL Databases Overview - Deployment Options - ARM Templates Deployment - DEMO: Deploying Azure SQL Databases - Business Continuity - Scale and Performance - DEMO: Scaling Azure SQL Databases - Partitioning Data - Migrating to Azure - Migration Scenarios - DEMO: DMS Azure SQL Database Migration Process - Upgrade Scenarios - Summary

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.