Merge pull request #107060 from MikeRayMSFT/20200309-auditing

megvanhuygen · web-flow · commit 82d867237a02 · 2020-03-19T16:39:34.000-07:00
Stage configure auditing.
diff --git a/articles/sql-database/create-auditing-storage-account-vnet-firewall.md b/articles/sql-database/create-auditing-storage-account-vnet-firewall.md
@@ -0,0 +1,139 @@
+---
+title: Audit to storage account behind VNet and firewall 
+description: Configure auditing to write database events on a storage account behind virtual network and firewall
+services: sql-database
+ms.service: sql-database
+ms.subservice: security
+ms.topic: conceptual
+author: DavidTrigano
+ms.author: datrigan
+ms.reviewer: vanto
+ms.date: 03/19/2020
+ms.custom: azure-synapse
+---
+# Write audit to a storage account behind VNet and firewall
+
+Auditing for [Azure SQL Database](sql-database-technical-overview.md) and [Azure Synapse Analytics](../sql-data-warehouse/sql-data-warehouse-overview-what-is.md) supports writing database events to an [Azure Storage account](../storage/common/storage-account-overview.md) behind a virtual network and firewall. 
+
+This article explains two ways to configure Azure SQL Server and Azure storage account for this option. The first uses the Azure portal, the second uses REST.
+
+### Background
+
+[Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network in your own data center, but brings with it additional benefits of Azure infrastructure such as scale, availability, and isolation.
+
+To learn more about the VNet concepts, Best practices and many more, see [What is Azure Virtual Network](../virtual-network/virtual-networks-overview.md).
+
+To learn more about how to create a virtual network, see [Quickstart: Create a virtual network using the Azure portal](../virtual-network/quick-create-portal.md).
+
+## Prerequisites
+
+For audit to write to a storage account behind a VNet or firewall, the following prerequisites are required:
+
+> [!div class="checklist"]
+> * A general-purpose v2 storage account. If you have a general-purpose v1 or blob storage account, [upgrade to a general-purpose v2 storage account](../storage/common/storage-account-upgrade.md). For more information, see [Types of storage accounts](../storage/common/storage-account-overview.md#types-of-storage-accounts).
+> * The storage account must be on the same subscription and at the same location as the Azure SQL Database server. 
+> * The Azure Storage account requires `Allow trusted Microsoft services to access this storage account`. Set this on the Storage Account **Firewalls and Virtual networks**.
+> * You must have `Microsoft.Authorization/roleAssignments/write` permission on the selected storage account. For more information, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).
+
+## Configure in Azure portal
+
+Connect to [Azure portal](https://portal.azure.com) with your subscription. Navigate to the resource group and Azure SQL database server.
+
+1. Click on **Auditing** under the Security heading. Select **On**.
+
+2. Select **Storage**. Select the storage account where logs will be saved. The storage account must comply with the requirements listed in [Prerequisites](#prerequisites).
+
+3. Open **Storage details** 
+
+  > [!NOTE]
+  > If the selected Storage account is behind VNet, you will see the following message:
+  >
+  >`You have selected a storage account that is behind a firewall or in a virtual network. Using this storage: requires an Active Directory admin on the server; enables 'Allow trusted Microsoft services to access this storage account' on the storage account; and creates a server managed identity with 'storage blob data contributor' RBAC.`
+  >
+  >If you do not see this message, then storage account is not behind a VNet.
+
+4. Select the number of days for the retention period. Then click **OK**. Logs older than the retention period are deleted.
+
+5. Select **Save** on your auditing settings.
+
+You have successfully configured audit to write to a storage account behind a VNet or firewall. 
+
+## Configure with REST commands
+
+As an alternative to using the Azure portal, you can use REST commands to configure audit to write database events on a storage account behind a VNet and Firewall. 
+
+The sample scripts in this section require you to update the script before you run them. Replace the following values in the scripts:
+
+|Sample value|Sample description|
+|:-----|:-----|
+|`<subscriptionId>`| Azure subscription ID|
+|`<resource group>`| Resource group|
+|`<sql database server>`| Azure SQL database server name|
+|`<administrator login>`| SQL database administrator account |
+|`<complex password>`| Complex password for the administrator account|
+
+To configure SQL Audit to write events to a storage account behind a VNet or Firewall:
+
+1. Register your Azure SQL Database server with Azure Active Directory (Azure AD). Use either PowerShell or REST API.
+
+   **PowerShell**
+   
+   ```powershell
+   Connect-AzAccount
+   Select-AzSubscription -SubscriptionId <subscriptionId>
+   Set-AzSqlServer -ResourceGroupName <your resource group> -ServerName <sql database server> -AssignIdentity
+   ```
+   
+   [**REST API**](https://docs.microsoft.com/rest/api/sql/servers/createorupdate):
+
+   Sample request
+
+   ```html
+   PUT https://management.azure.com/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Sql/servers/<sql database server>?api-version=2015-05-01-preview
+   ```
+
+   Request body
+
+   ```json
+   {
+   "identity": {
+              "type": "SystemAssigned",
+              },
+   "properties": {
+     "fullyQualifiedDomainName": "<sql database server>.database.windows.net",
+     "administratorLogin": "<administrator login>",
+     "administratorLoginPassword": "<complex password>",
+     "version": "12.0",
+     "state": "Ready"
+   }
+   ```
+
+2. Open [Azure portal](https://portal.azure.com). Navigate to your storage account. Locate **Access Control (IAM)**, and click **Add role assignment**. Assign **Storage Blob Data Contributor** RBAC role to your Azure SQL Server hosting your Azure SQL database that you registered with Azure Active Directory (Azure AD) as in the previous step.
+
+   > [!NOTE]
+   > Only members with Owner privilege can perform this step. For various built-in roles for Azure resources, refer to [Azure built-in roles](../role-based-access-control/built-in-roles.md).
+
+3. Configure [Azure SQL server's blob auditing policy](/rest/api/sql/server%20auditing%20settings/createorupdate), without specifying a *storageAccountAccessKey*:
+
+   Sample request
+
+   ```html
+   PUT https://management.azure.com/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Sql/servers/<azure sql database server>?api-version=2017-03-01-preview
+   ```
+
+   Request body
+
+   ```json
+   {
+     "properties": {
+      "state": "Enabled",
+      "storageEndpoint": "https://<storage account>.blob.core.windows.net"
+     }
+   }
+   ```
+
+## Next steps
+
+- [Use PowerShell to create a virtual network service endpoint, and then a virtual network rule for Azure SQL Database.](sql-database-vnet-service-endpoint-rule-powershell.md)
+- [Virtual Network Rules: Operations with REST APIs](/rest/api/sql/virtualnetworkrules)
+- [Use virtual network service endpoints and rules for database servers](sql-database-vnet-service-endpoint-rule-overview.md)
diff --git a/articles/sql-database/sql-database-auditing.md b/articles/sql-database/sql-database-auditing.md
@@ -8,22 +8,23 @@ ms.topic: conceptual
 author: DavidTrigano
 ms.author: datrigan
 ms.reviewer: vanto
-ms.date: 02/11/2020
+ms.date: 03/19/2020
 ms.custom: azure-synapse
 ---
-# Get started with SQL database auditing
+# Azure SQL Auditing
 
-Auditing for Azure [SQL Database](sql-database-technical-overview.md)  and [Azure Synapse Analytics](../sql-data-warehouse/sql-data-warehouse-overview-what-is.md) tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace or Event Hubs. Auditing also:
+Auditing for Azure [SQL Database](sql-database-technical-overview.md)  and [Azure Synapse Analytics](../sql-data-warehouse/sql-data-warehouse-overview-what-is.md) tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace or Event Hubs. 
+
+Auditing also:
 
 - Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
 
 - Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. For more information about Azure programs that support standards compliance, see the [Azure Trust Center](https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942) where you can find the most current list of SQL Database compliance certifications.
 
-
 > [!NOTE] 
-> This topic applies to Azure SQL server, and to both SQL Database and Azure Synapse Analytics databases that are created on the Azure SQL server. For simplicity, SQL Database is used when referring to both SQL Database and Azure Synapse.
+> This topic applies to both Azure SQL Database, and Azure Synapse Analytics databases. For simplicity, SQL Database is used when referring to both Azure SQL Database and Azure Synapse Analytics.
 
-## <a id="subheading-1"></a>Azure SQL database auditing overview
+## <a id="subheading-1"></a>Overview
 
 You can use SQL database auditing to:
 
@@ -95,10 +96,14 @@ To configure writing audit logs to a storage account, select **Storage** and ope
 
    ![storage account](./media/sql-database-auditing-get-started/auditing_select_storage.png)
 
-To configure a storage account under a virtual network or firewall you will need an [Active Directory admin](https://docs.microsoft.com/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#provision-an-azure-active-directory-administrator-for-your-managed-instance) on the server, enable **Allow trusted Microsoft services to access this storage account** on the storage account. In addition, you need to have the 'Microsoft.Authorization/roleAssignments/write' permission on the selected storage account.
+To configure a storage account behind a virtual network or firewall you will need an [Active Directory admin](https://docs.microsoft.com/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#provision-an-azure-active-directory-administrator-for-your-managed-instance) on the server, enable **Allow trusted Microsoft services to access this storage account** on the storage account. In addition, you need to have the 'Microsoft.Authorization/roleAssignments/write' permission on the selected storage account.
 
 We recommend you to be [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) in order to grant to the managed identity the role 'storage blob data contributor'. To learn more about permissions and role-based access control, see [What is role-based access control (RBAC) for Azure resources?](../role-based-access-control/overview.md) and [Add or remove role assignments using Azure RBAC and the Azure portal](../role-based-access-control/role-assignments-portal.md)
 
+#### Log audits to storage account behind VNet or firewall
+
+You can write audit logs to a an Azure Storage account behind a VNet or firewall. For specific instructions see, [Write audit to a storage account behind VNet and firewall](create-auditing-storage-account-vnet-firewall.md).
+
 ### <a id="audit-log-analytics-destination">Audit to Log Analytics destination</a>
   
 To configure writing audit logs to a Log Analytics workspace, select **Log Analytics (Preview)** and open **Log Analytics details**. Select or create the Log Analytics workspace where logs will be written and then click **OK**.
diff --git a/articles/sql-database/toc.yml b/articles/sql-database/toc.yml
@@ -117,9 +117,11 @@
 
     - name: Auditing
       items:
-      - name: Get started with SQL Database auditing
+      - name: Azure SQL Auditing
         href: sql-database-auditing.md
-      - name: Audit Log Format
+      - name: To storage behind VNet or firewall
+        href: create-auditing-storage-account-vnet-firewall.md
+      - name: Audit log format
         href: sql-database-audit-log-format.md
 
     - name: Security management
