Tips for Hosting Your Kentico Sites in Azure SQL Database
If you’re using Kentico in Azure, then you probably have seen a lot of options in your portal for your SQL database. Azure SQL Database, Microsoft’s SaaS database option, is a fantastic tool that gives you nearly unlimited SQL computing power and capability. But what about all those security options and performance recommendations if shows you? In this article, I’m going to cover a few of the key features of Azure’s SQL Database to help you get the most out of cloud-hosted Kentico sites.
Over the years, I’ve gotten a lot of questions about Kentico and Azure. From web hosting to database tuning, everyone wants to know how to get their site running as optimally as possible. With a data breach being announced every day, security is also at the forefront of most developer’s minds. In this blog, I’m going to answer some Azure SQL Database FAQs around performance and security that I’ve gotten recently to help you get things secure and your Kentico sites running smoothly.
NOTE
Before you make any changes to your Azure SQL Database, always take a backup! Additionally, you should create a copy of your database and implement any modifications in a non-production environment to ensure computability.
Transparent Data Encryption (TDE)
Let’s start with the easiest option. Transparent Data Encryption (TDE) is real-time I/O encryption process that locks down data and log files. This is done by using a server-side certificate to encrypt the database files as they are created and maintained. For Azure SQL Database, this means using a built-in server certificate, unique to each server. The best part is TDE is enabled by default on your Azure SQL Database. This means you get this protection without any effort, helping you be sure your files are secure.
In the Azure Portal, click on the Transparent Data Encryption tab to see the setting.
Because TDE is “automatic”, you won’t need to do anything to take advantage of this functionality in your Kentico sites. The encryption is on the file level, so all your site data will stay the same.
Read more about TDE in Azure SQL Database
Dynamic Data Masking
With so much emphasis being placed on security, ensuring that users’ data is locked down is paramount. While the simplest plan is to remove the data, it’s not always possible. If you have to store it, it would be great to mask any sensitive information from the wrong eyes. Dynamic Data Masking does just that, by allowing you remove ability to view specific fields when they are retrieved from the database.
With Dynamic Data Masking, the data stays intact in the database. When a query is run, DDM manipulates the retrieved data and applies a mask, using the template you select. Depending on the type of data, there may be several options for masking the information to prevent unauthorized access.
In the Azure Portal, select the Dynamic Data Masking tab. The UI will load fields it identified as possible sensitive information. You can also load additional fields by expanding the list. Select the desired field and click ADD MASK.
Once you add a data mask, you can update the configuration to change the format.
Like TDE, Dynamic Data Masking does not change the data, but rather manipulates it when it’s retrieved from the database. This means it should have little impact on your Kentico sites, as long as viewing this information in its original state is not critical to your functionality.
NOTE
By default, all SQL Database admin logins do not have Dynamic Data Masking applied. If you wish to use this feature, you will need to create a new login for your database and update your connection string.
Read more about Dynamic Data Masking
Performance
Of all the questions I’ve gotten, the most common have been around performance. When developers move their applications to the cloud and experience performance issues, they seem to have trouble understanding the cause. Azure SQL Database has a number of tools to help you diagnose the issue and understand what is happening within your implementation.
In the Azure Portal, select the Query Performance Insight tab to see an overview of your database performance. This utility displays your DTU utilization, metrics on resource consumption, as well as long-running queries. With this information, you can identify what database calls are causing the most performance degradation.
With the information you get form the Query Performance Insights, you should be able to tune your Kentico site to determine what is causing your slowdowns. It may mean updating your web parts with optimal configurations, reducing the number of queries per page, and better use of caching. You can also use the KInspector utility to identify potential problem areas and improve performance.
Read more about Azure SQL Database Query Performance Insights
Automatic Tuning
In addition to performance insights, the Azure SQL Database offers the ability automatically tune your database. By using ML and AI, Azure SQL Database can identify potential improvements to your database and its configuration. This can include index creation, index deletion, and real-time monitoring. By using historical analysis, Azure can automatically apply updates to your database as needed, eliminating the need for human intervention. All changes are then monitored for effectiveness, rolling back if necessary.
In the Azure Portal, click the Performance recommendations tab. This will list any recommended performance improvements to the system.
If desired, you can opt to have Azure automatically apply any identified recommendations.
For your Kentico sites, this is one area you have to make a decision to implement. Because Azure will create/delete indexes as it needs, this can introduce changes into your database and its functionality. You will need to consult a DBA for their stamp of approval, as incorrect indexes can drastically reduce the performance of any system. If you implement Automatic Tuning, I highly recommend constant monitoring of your application to ensure it is performing optimally and the automatic changes are effective.
Read more about Automatic Tuning
Threat Detection
Thanks to recent announcement of data breaches and vulnerabilities, security should be at the front of every developer’s mind. Add to that the upcoming GDPR deadline, and you’re probably starting to get pretty nervous. Proper planning can help you understand and minimize your exposure for your data, however, you are still susceptible to attack. Azure SQL Database helps you out with their Threat Protection functionality.
This functionality provides a real-time monitoring solution for abnormal activities, potential vulnerabilities, and malicious attacks. This allows you to know when attacks happen, and help you minimize their impact and potential. This feature allows you to customize the types of alerts you receive, and who should get them.
In your Azure Portal, click Auditing & Threat Detection. This UI will display your current status, along with your alert settings.
Clicking the Threat Detection types link allows you to configure what types you want to be alerted of.
For your Kentico sites, Threat Detection will not introduce any modifications. It is a service that runs in parallel with your database and does not modify any data. This means you can use this feature without any changes to your system and all your data will stay intact.
NOTE
Azure Threat Detection is an add-on service. Be sure you understand the costs before implementing!
Read more about Threat Detection
Vulnerability
While Threat Detection tells you when an attack is happening, it would be better to know where your system is weak before it ever happens. Azure SQL Database offers a Vulnerability Assessment to help you diagnose and evaluate your database security. By viewing your security settings and data configuration, the Vulnerability Assessment can help you ensure your system is secure, conforms to regulation / standards, and prevent potential security issues.
In the Azure Portal, click the Vulnerability Assessment link to the start the assessment. Once complete, you will see a report of the potential security issues.
The Vulnerability Assessment does not make any modifications to your system or data. This means there is no impact to your Kentico sites or its functionality. The tool is a great way to evaluate your system and prevent future security problems.
If the report does indicate nay modification to your system, be sure to evaluate them and test the results in a non-production environment before fully implementing them.
Read more about Vulnerability Assessment
Wrapping up
When hosting your database in Azure SQL Database, there’s a lot to consider. Several factors can impact your performance and scalability. Hopefully, this blog gives you a good idea how to implement your Azure-hosted Kentico sites better. Performance is never a fire-once-and-forget situation. You will always need to montior your application and respond to changes in functionality, data, and size, as needed. With Azure SQL Database, you have a ton of great tools to help you with the process and ensure your database are running great. Good luck!