Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keeping Data Secure In Azure

Published byEdwina Randall Modified over 5 years ago

Similar presentations

Presentation on theme: "Keeping Data Secure In Azure"— Presentation transcript:

1 Keeping Data Secure In Azure
While Automatically Refreshing Power BI Datasets Cornell A. Emile Solution Architect

2 Presenter Information
Bahamian, father, serial entrepreneur, and passionate about data making a positive difference in people's lives +20 years working with Data, Information Economist Statistician Database Administrator/Developer Enterprise Data Architect BI Consultant Full-Stack Solution Architect

3 Our Agenda Common Data Security Requirement Azure Networking
Power BI Data Gateway Solution Overview Live Demo Wrap-up Q&A

4 Common Security Requirement
Design a solution that supports the development and automatic refreshing of Power BI dashboards/reports without directly exposing our data within SQL Server databases to the internet. How best to restrict the internet access to the data sources? How to maintain a list of whitelisted IPs? Can the solution work for SQL VM, SQL Managed Instance, SQL Database, Data Warehouse, and Azure Analysis Services data sources?

5 Azure Networking Main Network Components:
Virtual Networks (VNets) – private network in Azure Subnets – one or more segments of a VNet Service Endpoints – supports the access of platform services over private network Azure Firewalls – configure, manage and monitor traffic into and out of VNet Network Security Groups – similar to Azure Firewalls but lacks advanced functionality Azure Data Center IP Ranges – IPs used by Azure services

6 Power BI Data Gateways Used to connect the Power BI Service to various types of on-premise data sources Two types of data gateways: On-premises data gateway (Personal Mode) Supports: Data imports and scheduled refreshes On-premises data gateway (formerly Enterprise Mode) Multiple admins/users Power Platform Gateway clusters DirectQuery Live Connections to Analysis Services

7 On-Premises Data Gateway
How it works Query requests are sent to Azure Service Bus by the Gateway Cloud Service. Data Gateway regularly checks the Azure Service Bus for query requests. When query request is found, gateway uses stored credentials to connect and execute the query. Query results payload is sent to data gateway and then handed back to Azure Bus Service. Gateway Cloud Service retrieves the payload from the Azure Service Bus. A query is created by the cloud service with the encrypted credentials for the on-premises data source. It's then sent to a queue for the gateway to process. The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus. The on-premises data gateway polls the Azure Service Bus for pending requests. The gateway gets the query, decrypts the credentials, and connects to the data sources with those credentials. The gateway sends the query to the data source for execution. The results are sent from the data source, back to the gateway, and then onto the cloud service and your server.

8 Solution Overview: SQL VM
Create VNet and subnet. Use Azure Firewall and/or Network Security Group (NSG) to: Allow outbound traffic to endpoints needed by Power BI Data Gateway Deny outbound traffic Add a VM (“Gateway VM”) to the subnet Install Power BI Gateway, SSMS, and Power BI Desktop Add SQL VM to the subnet Use VPN Gateway to access the VNet and subnet Site-to-Site VPN Point-to-Site VPN Vnet-to-VNet

9 Solution Overview: SQL VM

10 Solution Overview: SQL VM
Goal: Allow outbound network traffic to endpoints needed by Power BI Data Gateway Whitelist IP ranges for the region that contains the Power BI account Several methods available: Allow all outbound internet traffic Manually add the list of whitelisted IP ranges and deny all outbound internet traffic Use fully qualified domain names Not supported by NSG Use service tags Use NSG to deny all internet traffic (inbound and outbound ) to the subnet and then… Create NSG rules to allow Azure IP ranges needed with service tags. Manually whitelist other IP destinations as needed.

11 Network Security Group – Default Rules
Add outbound rules for Region that contains the Power BI account. Add outbound rules for any other Azure endpoints needed.

12 Demo Walkthrough the solution in the Azure Portal
Perform data refresh within Power BI portal View and Update NSG rules

13 Azure SQL Database / SQL Data Warehouse / Managed SQL Instance
Disable “Allow access to Azure services” Not applicable for Managed SQL Instance Associate the database server to virtual network Limit the database server access to the subnet within the virtual network Set up VNet Service EndPoint for SQL Add a VM (“Gateway VM”) to the subnet Install and configure the data gateway on the “Gateway VM” Use Azure Firewall and/or Network Security group to restrict traffic into and out of subnet Use VPN Gateway to access the VNet and subnet Site-to-Site VPN Point-to-Site VPN Vnet-to-VNet

14 Solution Overview

15 Wrap-up: Azure Analysis Services

16 Wrap-up: Troubleshooting Issues
Tools: Power BI portal Netmon Power BI Data Gateway Diagnostic Logging Windows Event Viewer Steps: Start with viewing error within the Power BI portal Turn on the Power BI Data Gateway Diagnostic Logging Review Diagnostic Logs Monitor the Power BI Data Gateway traffic

17 Q & A

Download ppt "Keeping Data Secure In Azure"

Similar presentations

Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
w/ Service Provider Foundation & Service Management Automation VMs, Networks, Automation Service Bus Database SQL Sever MySQL Web Sites Services Plans.

w/ Service Provider Foundation & Service Management Automation VMs, Networks, Automation Service Bus Database SQL Sever MySQL Web Sites Services Plans.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.

Migrating Applications to Windows Azure Virtual Machines Michael Washam Senior Technical Evangelist Microsoft Corporation.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
TechEd 2013 4/22/2017 5:40 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /22/2017 5:40 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 11: Implementing ISA Server 2004 Enterprise Edition.

Module 11: Implementing ISA Server 2004 Enterprise Edition.
SQL Azure Intro and What’s New Level: Introductory to Intermediate Andy Thiru SQL/BI Developer.

SQL Azure Intro and What’s New Level: Introductory to Intermediate Andy Thiru SQL/BI Developer.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Windows Azure. Azure Application platform for the public cloud. Windows Azure is an operating system You can: – build a web application that runs.

Windows Azure. Azure Application platform for the public cloud. Windows Azure is an operating system You can: – build a web application that runs.
Visualising your Azure SQL Data Warehouse with Power BI Soheil Bakhshi 23 Jan 2016 1www.biinsight.com.

Visualising your Azure SQL Data Warehouse with Power BI Soheil Bakhshi 23 Jan www.biinsight.com.
Microsoft Virtual Academy Module 12 Managing Services with VMM and App Controller.

Microsoft Virtual Academy Module 12 Managing Services with VMM and App Controller.
Building web applications with the Windows Azure Platform Ido Flatow | Senior Architect | Sela | This session.

Building web applications with the Windows Azure Platform Ido Flatow | Senior Architect | Sela | This session.

Similar presentations

Ads by Google