Post on 20-Jan-2018
description
Page 1
Overview of SQL AzureJeff Chu | 2010-6-25
Page 2
Agenda
• Service Review• SQL Azure Architecture & Workflows• Service Resilience• Service Monitoring • Attack Vectors/Security considerations• Wrap up
Page 3
Review – Conceptual model• Subscription
– Used to map service usage to the billing instrument– Users may have many subscriptions
• Logical Server– Akin to SQL Server Instance– Unit of Geo-Location & Billing– 1:1 Subscription & server
• User Database– Restricted T-SQL surface area– Additional catalog views provided e.g. sys.billing,
sys.firewall_rules, etc
Page 4
SQL Azure Database
Customer Value PropsSelf-provisioning and capacity on demandSymmetry w/ on-premises database platformAutomatic high-availability and fault-toleranceAutomated DB maintenance (infrastructure)Simple, flexible pricing – “pay as you grow”
Browser
MSDatacenter
SOAP/RESTHTTP/S
SQL Azure Database (Windows Azure Compute)
Windows Azure Compute
T-SQL (TDS)
App Code(ASP.NET)
SQL Server Reporting Server
(on-premises)
Astoria/REST - EDMHTTP/S
- AD Federation (LiveId /.Net Svcs ACS)
SQL AzureDatabase
T-SQL (TDS)
Relational database service
• SQL Server technology foundation
• Highly symmetrical
• Highly scaled
Database “as a Service” – beyond hosting
Page 5
SQL Azure Network TopologyApplication
InternetAzure Cloud
LB
TDS (tcp)
TDS (tcp)
TDS (tcp)
Applications use standard SQL client libraries: ODBC, ADO.Net, PHP, …
Load balancer forwards ‘sticky’ sessions to TDS protocol tier
Security Boundary
SQL SQL SQL SQL SQLSQL
Gateway Gateway Gateway Gateway Gateway Gateway
Gateway: TDS protocol gateway, enforces AUTHN/AUTHZ policy; proxy to CloudDB
Scalability and Availability: Fabric, Failover, Replication, and Load balancing
Page 6
TDS Gateway• TDS Listener
– Capability negotiation– TDS Packet inspection– Security
• Logical->Physical mapping via metadata catalog
• Enabler for multi-tenet capabilities• Isolation layer
Page 7
TDS Gateway LayeringGateway ProcessGateway Process
TDS Endpoint AdminSvc Endpoint
Protocol Parser
Provisioning Endpoint
Business Logic Services
Connection Mgmt
SQL SQL SQL SQL SQLSQL
Scalability and Availability: Fabric, Failover, Replication, and Load balancing
Page 8
Provisioning • Subscription
– Coordinated across all Azure services– Executed in parallel w/retries
• Server– May occur between data centers– Point where Geo-location is established
• Database– Always occurs within a single data center– Cross node operations executed during this
process e.g. add new db to sys.databases on the master
Page 9
Server Provisioning• Driven by administrator Portal• Provision request is sent to Gateway
–Metadata catalog entry created–DNS record (CNAME) created within
LiveDNS service–Master DB created
• On completion metadata catalog updated
Page 10
Datacenter (Sub-Region)Datacenter (Sub-Region)
SQL Azure Server Provisioning
Customer Browser
Portal LB
11
Front-end NodeFront-end Node
Live DNS ClusterLive DNS ClusterLive DNS
Svc
22 44
Gateway
Backend NodeBackend Node
Mgmt. Service
s
SQL Server
Fabric
Backend NodeBackend Node Backend NodeBackend Node
Mgmt. Service
s
SQL Server
Fabric
Mgmt. Service
s
SQL Server
Fabric
Front-end NodeFront-end Node
Gateway
Front-end NodeFront-end Node
Admin Portal
Front-end NodeFront-end Node
Admin Portal
33
Gateway LB55
66
77
Page 11
Database Provisioning• Gateway performs stateful TDS packet inspection
– Picks out subset of messages– Parses out args for create database
• Makes entry into Gateway metadata catalog• Unused replica set located and reserved• Replica set (UserDB) is prepped for use • Metadata catalog is updated
Page 12
SQL Azure Database provisioningTDS GatewayTDS GatewayFront-end NodeFront-end Node
Protocol Parser
Gateway Logic
Master ClusterMaster Cluster
Master NodeMaster Node
Master Node Components
11
2233
55 6677
Scalability and Availability: Fabric, Failover, Replication, and Load balancingScalability and Availability: Fabric, Failover, Replication, and Load balancing
44
88
TDS Session
Backend Node 1SQL Instance
SQL DB
Backend Node 2SQL Instance
SQL DB
Backend Node 3SQL Instance
SQL DB
Page 13
SQL Azure Login Process
• Login request arrives at the Gateway• Gateway locates MasterDb & UserDb
replica sets• Credentials are validated against MasterDb• TDS session is opened to UserDB and
requests are forwarded
Page 14
SQL Azure Login ProcessTDS GatewayTDS GatewayFront-end NodeFront-end Node
Protocol Parser
Gateway Logic
Global Partition MapGlobal Partition Map
Master NodeMaster Node
Master Node Components
11
22
44 55
66
Scalability and Availability: Fabric, Failover, Replication, and Load balancingScalability and Availability: Fabric, Failover, Replication, and Load balancing
33
77
TDS Session
Backend Node 1SQL Instance
SQL DB
Backend Node 2SQL Instance
SQL DB
Backend Node 3SQL Instance
SQL DB
88
Page 15
Service Resilience• Provisioning
– State machines used to coordinate activities across node (and datacenter) boundaries
– Failed provisioning attempts cleaned automatically after 10 minutes
• Login– Failovers during the login will be transparent (<30
seconds)– Metadata catalog refresh occurs automatically
• Active Session– Surface as connection drops (due to state)
Page 16
Monitoring Service Health• Metrics
– Cluster wide performance counters gather key metrics on the service
– Used to alert Operations to issues before they become a problem
• Early warning system• Code issues• Capacity warnings
• Health– Exercises the service routinely looking for problems– When issues are encountered runs deep diagnostics
• Network connectivity at the node level• Validate all dependent services (Live DNS, Live ID, etc)
• Monitoring from other MSFT DC’s– Validates accessibility from multiple geographic locations– Alerts fired automatically when test jobs fail
Page 17
Security/Attack Considerations• Service
– Secure channel required (SSL)– Denial Of Service trend tracking– Packet Inspection
• Server – IP allow list (Firewall) – Idle connection culling– Generated server names
• Database– Disallow the most commonly attacked user id’s
(SA, Admin, root, guest, etc) – Standard SQL Authn/Authz mode
Page 18
Wrap Up• Reviewed SQL Azure Architecture &
Workflows– Provisioning (Server & DB)– Login
• Service Resilience & Health– Failure detection and correction– How we determine service health
• Security considerations– Attack vectors and mitigations
• Questions?
Page 19
What are your application’s requirements?
Storage and Transactional throughput
Storage RequirementsLow High
Tran
sact
iona
l Req
uire
men
tsLo
wH
igh
• Single Database• No Partitioning
• Partitioned Data• Partitioning Based on
Application Requirements (Storage)
• Partitioned Data• Partitioning based on
Application Requirements (IOPS)
• Partitioned Data• Partitioning based on
Application Requirements (IOPS, Storage or both)
Page 20
Getting Data Where You Need ItSQL Azure Data Sync Service
Benefits• Scale-out read or
read/write• Geo replication of data• Edge network data
distribution• Content delivery
networks
Sync Group
SQL Azure
SQL Azure
SQL Azure
Page 21
SQL Azure Data Sync – Overview
Offline-Capable Cached Mode Applications
On-Premises Applications
SyncGroup
SQL Azure
SQL Azure
SQL Azure
Data Sync
Data Sync
Remote Offices & Retail Stores
Data Sync
SQL Azure Data Sync
http://azure.com
SQL Azure Data Sync Service
http://sqlazurelabs.com
Page 22
References• SQL Azure Documentation
– http://msdn.microsoft.com/en-us/library/ee336279.aspx• PDC 2009 SQL Azure Sessions
– SVC12: SQL Azure Database: Under the hood– SVC06: Scale-out Web Application with SQL Azure Database
• Tech.Ed 2010 North America SQL Azure Sessions– DAT09: What’s new in SQL Azure Database