I am currently trying to build a C++ application that sends request to SQL SERVER using odbc library.
By following this link:
https://github.com/MicrosoftDocs/sql-docs/blob/live/docs/connect/odbc/using-azure-active-directory.md
I am able to establish connection to the SQL SERVER using an Azure service principal with client secret.
I want to know if there is any way to connect to the SQL SERVER using an Azure service principal with a certificate (and not a client secret).
Many thanks.
Related
I have application stack consisting of three services in AWS ECS. I have been planning to implement service mesh using AWS App Mesh. I have followed the following instructions to setup the mTLS for my services.
https://awscloudfeed.com/whats-new/security/how-to-use-acm-private-ca-for-enabling-mtls-in-aws-app-mesh
Using the technique mentioned on the blog I was able to setup the mTLS and communication is working fine from virtual gateway to services.
But when one of the service tries to access another service it fails to make connection. Services are built using NodeJS and one service(let's say A) use request library to call service B. From my understanding of the service mesh, the TLS session initiation should start from the envoy proxy of Service A and terminate in the envoy proxy of Service B. In this case I should have used the service discovery url of the Service B (eg. http://serviceb.example.com) when calling it from the serivce A. While doing so, I get ECONNRESET error with message socket hangup. And while using https protocol (eg https://serviceb.example.com) I get ECONNRESET error with message of TLS error.
But if I disable the client certificate requirement for the service B, I am able to access it from service A with https protocol. Does this mean that if i need to set the mtls in appmesh, i will need to load the client certificate through the application itself? I think the request should have gone through without issue as client certificate is provided through the backed client configuration.
Can you help me understand how app mesh mTLS work and if I am missing something while configuring the app mesh?
Thank You
I have a server available at AWS and the client is asking to connect to their MariaDB database remotely which is available on their server that is accessible via VPN.
So, how is it possible to connect to a remote database from the web application hosted on my AWS server?
Thanks in advance.
As I came to know that cloud proxy uses the public IP in the background. So how safe is it to use cloud proxy and what is the background process and how safe it is if we are using public IP in google cloud.
If you use a PaaS-based client application, most likely it has an ephemeral IP address. In this situation, restricting access based on the range of source IP addresses may be ineffective.
In such a case using Cloud SQL Proxy is optimal. As with many services that use public IP address, Google Cloud Proxy protects traffic in public networks by encryption. Traffic between the proxy client and the proxy server process is passed through the secure tunnel encrypted using AES cipher.
Apart from that, The SQL Proxy requires authentication and uses IAM to restrict access to the SQL instance.
You can find more information in the documentation:
Cloud SQL > Doc > MySQL > Connecting to Cloud SQL from external applications
Cloud SQL > Doc > MySQL > About the Cloud SQL Proxy:
The Cloud SQL Proxy provides secure access to your instances
without the need for authorized networks or for configuring SSL. The
proxy automatically encrypts traffic to and from the database
using TLS 1.2 with a 128-bit AES cipher; SSL certificates are used to
verify client and server identities.
The proxy uses a secure
tunnel to communicate with its companion process running on the SQL
server.
The proxy requires authentication. When you use a service
account to provide the credentials for the proxy, you must create it
with sufficient permissions: a role that includes the
cloudsql.instances.connect permission.
Cloud SQL > Doc > MySQL > Connecting from App Engine standard environment to Cloud SQL:
App Engine provides a mechanism that connects using the Cloud SQL
Proxy.
Once correctly configured, you can connect your service to
your Cloud SQL instance's unix domain socket using the format:
/cloudsql/INSTANCE_CONNECTION_NAME.
These connections are
automatically encrypted without any additional configuration.
Also, you may configure your systems so that use Private IP as described here:
Cloud SQL > Doc > MySQL > Private IP
Backstory(but possibly can be skipped): The other day, I finished connecting to MySQL full SSL from a Cloud Run service without really doing any SSL cert stuff which was great!!! Just click 'only allow SSL' in GCP and click 'generate server certs', allow my Cloud Run service to have access to database instance, swap out tcp socket factory with google's factory and set some props and it worked which was great!
PROBLEM:
NOW, I am trying to figure out the secure Google Cloud Run service to Cloud Run service security and reading
https://cloud.google.com/run/docs/authenticating/service-to-service
which has us requesting a token over HTTP??? Why is this not over HTTPS? Is communication from my Docker container to the token service actually encrypted?
Can I communicate HTTP to HTTP between two Cloud Run services and it will be encrypted?
thanks,
Dean
From https://cloud.google.com/compute/docs/storing-retrieving-metadata#is_metadata_information_secure:
When you make a request to get information from the metadata server, your request and the subsequent metadata response never leave the physical host that is running the virtual machine instance.
The traffic from your container to the metadata server at http://metadata/ stays entirely within your project and thus SSL is not required, there is no opportunity for it to be intercepted.
Independent Azure Web job is not able to connect to SQL Server hosted in an Azure VM.
But we are able to connect to the same SQL SERVER from our local computers.
Error details :
The underlying provider failed on Open.
The job failed with exception :
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 0 - No such host is known.)
Is the webjob able to connect to the SQL DB hosted in Azure VM now? Also, is the Azure VM hosted in west Europe? If yes, you might have received a message on the Azure portal and Service Health Dashboard (banner).