How to Secure Azure Analysis Services and Azure Synapse?

Azure Analysis Services is a fully managed platform as a service (PaaS) that provides enterprise-grade data models in the cloud. Use advanced mashup and modeling features to combine data from multiple data sources, define metrics, and secure your data in a single, trusted tabular semantic data model. The data model provides an easier and faster way for users to perform ad hoc data analysis using tools like Power BI and Excel. In this blog I will focus on AAS communication with other services within Vnet or outside Vnet.

Let’s consider you have simple below architecture design:

Architecture Design

1. Data is pulled from Data Lake to SQL DW(now known as Azure Synapse) using Polybase and where the facts/dimensions are highly optimized
2. AAS models are refreshed
3. Data is consumed into reporting platforms

Now in this architecture we have 2 option either use AAS data gateway or allow access to azure services.

Option1:

SQL Data Warehouse when: “Allow Azure services and resources access this server” is set OFF

•        The traffic is between Microsoft backbone infrastructure (within the Vnet boundary) and never open to internet. This is achieved by adding service endpoint to the Vnet for SQL (Microsoft.Sql) which includes SQL Data Warehouse Databases also. By doing this databases will accept only communication from Vnet. Now in order to allow with on prem access next we need to add firewall on SQL Data Warehouse Server to allow only on-prem network +  Azure Vnet network access.

•        As AAS is outside the network and as AAS does not provide Vnet service endpoint security, configuring a firewall for this is not an option. So only the way it can communicate to the SQL DW is via a data gateway which provides secure data transfer from ASQL to AAS services.

•        This is the most secure way to manage access to SQL DW but with this our AAS refresh process is taking approximately twice more time and extra data gateway server need to manage/cost.

Option2:

SQL Data Warehouse when: “Allow Azure services and resources access this server” is set ON

•        By this it will avoid gateway and AAS can directly pull data from SQL DW and SQL DB

•        By using Allow Access to Azure services, anything running in Azure (VM, another PaaS service, etc)  from any subscription, including outside of tenant control, could connect to the DW if it had the right credentials

•        The firewall/endpoint setting will still be valid for the traffic outside Azure boundary

•        Communication between Azure services stays within the confines of Azure.  It does not traverse the internet

•        Data at Rest: The database, backups, etc. are encrypted using Transparent Data Encryption.  We can provide our own key here (not the default), Example RSA (with key size 2048) and key stored securely in key vault

•        Data in transit is encrypted using TLS security

•        On additional safeguard we can leverage a combination of auditing and Advanced Threat Protection (but this will charge extra 15 USD /month/server, It includes Data Discovery & Classification, Vulnerability Assessment and Advanced Threat Protection)

In both scenario we validated below Pros

1. Stability

We able to do full refresh big AAS database successfully every time

2. Reliability

We did count match for all table, no discrepancy found

3. Performance

If we remove gateway it will be faster refresh by almost 40-50%

Risk after removing AAS data gateway

'Allow Azure services and resources to access this server‘

•        When set to ON it allows communications from all resources inside the Azure boundary, that may or may not be part of your subscription

Mitigate Risk

•        IP based firewall to allow On-prem network access

•        AD authentication for Server

•        Start DW instance when needed only

•        Log Analytics to track the communication and alert

Below is the conclusion:

1.            As AAS does not provide Vnet service endpoint security, configuring a firewall for this is not an option.

2.            The most secure way to manage access to Sql DW and allow access to AAS is to leverage the Gateway.

3.            By using Allow Access to Azure services, anything running in Azure (VM, another PAAS service, etc) from any subscription, including outside of AD tenant control, could connect to the DW if it had the right credentials.

4.            Communication between Azure services stays within the confines of Azure.  It does not traverse the internet even if you enable Allow access to azure services.

5.            The database, backups, etc. are encrypted using Transparent Data Encryption.  You have the option of providing your own key.

6.            Data in transit is encrypted using TLS security.

7.            An additional safeguard is to leverage a combination of auditing and Advanced Threat Protection.