Certify your solution for Azure SQL Database

In March 2016 Microsoft released the possibility to certify solutions based on Azure SQL Database. This is a great opportunity for an ISV to set a label on that the database created is built according to high security standards and build for premium workloads.

To certify your database you start by downloading a tool called Certification Test Tool for Azure SQL Database.

Connect to your database

First step is to connect to your database by entering the connection details to your database in Microsoft Azure. Note that you need to specify the server name with protocol and port and that the User ID is on the format user@servername.

 

 

To be able to connect to you SQL Database in Azure you will also need to add your client ip address to the firewall for the server in Azure. In this example I have added the range from 1.1.1.1 to 255.255.255.255. This is NOT a recommended solution for a production database since it exposes your database for very broad access from outside of Azure. If you don't want to open a port in the firewall you can run the test from a VM inside of Azure instead.

After connecting its time to to the actual testing.The test consists of two parts. One static analysis and one self assessment. I will not give any advice to what features to activate or what the implications of this will be but rather point to documentation on how to activate and what these features mean.

Static Tests

The static tests are executed against your actual database. This means that if you change something and execute the tests again you will get a different result.

Use Premium / Pools
SQL DB should either have at least 1 Premium database OR use Elastic Pool.

Azure SQL Database Service Tiers
https://azure.microsoft.com/en-us/documentation/articles/sql-database-service-tiers/

Azure Elastic Database Pools
https://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-pool/

Security
SQL DB should have at least 1 of the following enabled: TDE, DDM, RLS:

Transparent Data Encryption (TDE)
https://msdn.microsoft.com/library/dn948096.aspx

Dynamic Data Masking (DDM)
https://azure.microsoft.com/en-us/documentation/articles/sql-database-dynamic-data-masking-get-started/

Row Level Security (RLS)
https://azure.microsoft.com/en-us/documentation/articles/sql-database-elastic-tools-multi-tenant-row-level-security/

Assessment

Security: Is auditing enabled in your database?
https://azure.microsoft.com/en-us/documentation/articles/sql-database-auditing-get-started/

DR Drill: Is your SQL DB using Geo-replication OR have done 1 or more Geo-restores?
https://azure.microsoft.com/en-us/documentation/articles/sql-database-disaster-recovery/
If you start with a database running on a S-tier and with no security features activated the easiest way to get passed the certification is to scale to a P-level, add Dynamic Data Masking, enable auditing and go thru the process of doing a geo-restore.

Other requirements

As for all application certifications with Microsoft, the company owning the product needs to be a member of Microsoft Partner Network and the application that is to be certified needs to be listed in Pinpoint.