@BernieTheBernie said in Azure bites:
@Bulb Interesting idea, I might try it somewhen. Depends on 's preferences.
But I see a catch: my home IP address is dynamic, and I get a fresh address every night from the vast range of t-online ip addresses. That would mean that I'd have to open the firewall for every address or do a lot of rules.
Since it's “serverless”, you are sharing the server with a lot of people that access it from all over the place, so
protection against DDoS is Microsoft's problem, and they already have some in place,
so is addressing the server vulnerabilities, and
you are only concerned with someone guessing your credentials.
The last point I'd address by using the Entra authentication. In Azure, you create a security group, set it as admin and disable non-entra login.
In the .нет library you replace the credentials with Authentication=Active Directory Default[1] in the connection string and it will pick the login from anywhere it can—environment, managed identity, visual studio or az, so it basically just works. And the management studio supports the interactive login, so that works too. Only if you also need the sqlcmd tool, you need magic incantation:
token_file=$(mktemp)
az account get-access-token --resource https://database.windows.net --query accessToken --output tsv | tr -d '\r\n' | iconv -f ascii -t utf-16le > "$token_file"
sqlcmd -G -P "$token_file" …# the other options…
(for Linux shell or Git Bash; I don't know powershell well enough to remember how to get the token in UTF-16 off the top of my head)
And then I wouldn't worry about just setting the firewall to the whole range or even just leaving it open altogether.