Merge pull request #275121 from GennadNY/gennadyk9076

prmerger-automator[bot] · web-flow · commit 51d99b005042 · 2024-05-11T19:09:58.000Z
changes
diff --git a/articles/postgresql/flexible-server/concepts-security.md b/articles/postgresql/flexible-server/concepts-security.md
@@ -235,6 +235,8 @@ For better security, it's a good practice to periodically rotate your admin pass
 
 The [Salted Challenge Response Authentication Mechanism (SCRAM)](https://datatracker.ietf.org/doc/html/rfc5802) greatly improves the security of password-based user authentication by adding several key security features that prevent rainbow-table attacks, man-in-the-middle attacks, and stored password attacks, while also adding support for multiple hashing algorithms and passwords that contain non-ASCII characters.  
 
+In SCRAM authentication, the client participates in doing the encryption work in order to produce the proof of identity. SCRAM authentication therefore offloads some of the computation cost to its clients, which in most cases are application servers. Adopting SCRAM, in addition to stronger hash algorithm, therefore offers also protection against distributed denial-of-service (DDoS) attacks against PostgreSQL, by preventing a CPU overload of the server to compute password hashes.
+
 If your [client driver supports SCRAM](https://wiki.postgresql.org/wiki/List_of_drivers) , you can **[setup access to Azure Database for PostgreSQL - Flexible Server using SCRAM](how-to-connect-scram.md)** as `scram-sha-256` vs. default `md5`.
 
 ### Reset administrator password
diff --git a/articles/postgresql/flexible-server/how-to-connect-scram.md b/articles/postgresql/flexible-server/how-to-connect-scram.md
@@ -20,7 +20,8 @@ Salted Challenge Response Authentication Mechanism (SCRAM) is a password-based m
 > [!NOTE]
 > To access an Azure Database for PostgreSQL flexible server instance using SCRAM method of authentication, your client libraries need to support SCRAM.  Refer to the **[list of drivers](https://wiki.postgresql.org/wiki/List_of_drivers)** that support SCRAM.
 
-
+> [!NOTE]
+> SCRAM authentication imposes additional computational load on your application servers, which need to compute the client proof for each authentication. The performance overhead SCRAM introduces may be mitigated by limiting the number of connections in your application's connection pool (reducing chattiness in your application) or limiting the number of concurrent transactions that your client allows (chunkier transactions). Its recommended to test  your workloads before migrating to SCRAM authentication.
 
 ## Configuring SCRAM authentication
 
