After you've provisioned a resource, you'll often need to configure it to meet the needs of your applications and environment. For example, you might need to set up network access or open a firewall port to enable your applications to connect to the resource. In this part, you'll learn how to enable network access to your resources and how you can prevent accidental exposure of your resources to third parties. You'll see how to use authentication and access control to protect the data managed by your resources. Now, let's discuss how you can configure connectivity and firewalls. The default connectivity for Azure relational data services is to disable access to the world. Now we will look at how to configure connectivity to virtual networks and on-premises computers. To enable connectivity use the firewalls and virtual networks page for a service. From the database page in the Azure portal, select Connection security, and then configure the firewall rules and access to the Azure service. It's important to note that an Azure virtual network is a representation of your own network in the cloud. A virtual network enables you to connect virtual machines and Microsoft Azure services together in much the same way that you might use a physical network on premises. Microsoft Azure ensures that each virtual network is isolated from other virtual networks created by other users and from the Internet. Microsoft Azure enables you to specify which machines, real and virtual, and services are allowed to access resources on the virtual network and which ports they can use. In the virtual network section, you can specify which virtual networks are allowed to route traffic to the service. When you create items such as web applications and virtual machines, you can add them to a virtual network. If these applications and virtual machines require access to your resource, add the virtual network containing these items to the list of allowed networks. If you need to connect to the service from an on-premises computer in the firewall section, add the IP address of the computer. This setting creates a firewall rule that allows traffic from that address to reach the service. The exception setting allows you to enable access to any other services that cannot be uniquely isolated through virtual network or IP address rules. For example, the firewalls and virtual networks page for an Azure sequel database. MySQL and Postgresql have a similar page. Azure SQL database communicates over Port 1433. If you're trying to connect from within a corporate network, outbound traffic over Port 1433 might not be allowed by your network's firewall. If so, you can't connect to your Azure SQL database server unless your IT department opens Port 1433. It's important to note that a firewall rule of 0.0.0.0 enables all Azure services to pass through the server level firewall rule in attempt to connect to a single or pool database through the server. Azure private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. The service could be a Microsoft Azure service such as Azure app service or your own private link service. For detailed information, read what is Azure Private End Point. There is a link to this document from the additional readings at the end of this lesson. The private endpoint connections page for a service allows you to specify which private endpoints, if any, are permitted access to your service. You can use the settings on this page together with the firewalls and virtual networks page to completely locked down users and applications from accessing public endpoints to connect to your Azure SQL database account. Let's talk about how you can configure authentication now. With Azure Active Directory authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management. You can use these identities and configure access to your relational data services. For detailed information on using Azure Ad with Azure SQL database, you can visit the page, what is Azure Active directory authentication for SQL database on the Microsoft website. You can also authenticate users connecting to Azure database for Postgresql, an Azure database for MySQL with AD. There is a link to these documents from the additional readings at the end of this lesson. Azure AD enables you to specify who or what can access to resources. Access control defines what a user or application can do with your resources once they've been authenticated. Access management for cloud resources is a critical function for any organization that is using the cloud. Azure role-based access control, Azure RBAC, helps you manage who has access to Microsoft Azure resources and what they can do with those resources. For example, using RBAC, you could allow one user to manage virtual machines in a subscription and another user to manage virtual networks. Allow a database administrator group to manage SQL databases in a subscription, allow a user to manage all resources in a resource group, such as virtual machines, web sites and subnets. And allow an application to access all resources in a resource group. You control access to resources using Azure RBAC to create role assignments. A role assignment consists of three elements, a security principle, a role definition, and a scope. Let's look at these in a little more detail now. A security principle is an object that represents a user, group, service principal or managed identity that is requesting access to Microsoft Azure resources. A role definition, often abbreviated to role, is a collection of permissions. A role definition lists the operations that can be performed, such as read, write and delete. Roles can be given high level names like owner or specific names like virtual machine reader. Finally, a scope list the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if for example, you want to make someone a website contributor but only for one resource group. Let's explore roles in a little more detail now. Microsoft Azure includes several built-in roles that you can use, including owner, who has full access to all resources, including the right to delegate access to others. Contributor, who can create and manage all types of Microsoft Azure resources, but can't grant access to others. Reader, who can view existing Microsoft Azure resources. And user access administrator, which lets you manage user access to Microsoft Azure resources. You can also create your own custom rules. For detailed information, see create or update Azure custom roles using the Azure portal on the Microsoft website. There is a link to this document from the additional readings at the end of this lesson. You add assignments to a resource in the Microsoft Azure portal using the access control IM page. The role assignments tab enables you to associate a role with the security or service principle and define the level of access. For more information, you can check out the page, add or remove Azure role assignments using the Azure portal from the Microsoft website. You can find a link to this document from the additional readings at the end of this lesson. Apart from authentication and authorization, many services provide additional protection through advanced data security. Azure includes several built-in roles that you can use. Advanced data security implements threat protection and assessment. Threat protection adds security intelligence to your service. This intelligence monitors the service and detects unusual patterns of activity that could be harmful or compromise the data managed by the service. Assessment identifies potential security vulnerabilities and recommends actions to mitigate them. You can access these from the advanced status security page for SQL database. It's worth noting that the corresponding pages for my SQL and Postgresql are similar.
