How to securely access PaaS resources with 'Allow access to Azure services' option disabled?

With June fast approaching I’m in the middle of “Security Intelligence in Azure PaaS” tour with 4 Sql Saturdays and 2 user groups still to go. So far it’s been very positive experience and I was able to capture a fair bit of feedback. Along the way I got interesting questions from both attendees and fellow presenters. Today I’m going to answer one of the most common which is “How to securely access Sql Database/Sql Datawarehouse/Cosmos DB from Azure when ‘Allow access to Azure services’ option is disabled?

Last Geo-Backup in Azure Sql DW

DR in Azure Sql DW Key component of Disaster Recovery Plan for Azure Sql DataWarehouse is a Geo-Backup Policy that must be enabled and working. Geo-Backup Azure Sql Datawarehouse uses simple recovery model and special storage level backups (consistent across multiple nodes) are taken every 4-8h. Backup history is stored in sys.pdw_loader_backup_runs DMV. Minimum once a day backup is copied to paired region so RPO is 24h assuming that Geo-Backup actually works.

Duplicates in sys.query_store_wait_stats

For machine learning, or in general any data analysis task, we need data. That’s not enough because data has to be in the right shape and data wrangling is usually tedious/time consuming/character shaping experience. QueryStore is one of the most important tools in context of Performance Intelligence (synonym for gaining performance insights and making automated decisions) because it provides consistent and unified view on queries’ performance by forming multi-feature timeseries for every query-plan-interval: