How to securely access PaaS resources with 'Allow access to Azure services' option disabled?

With June fast approaching I’m in the middle of “Security Intelligence in Azure PaaS” tour with 4 Sql Saturdays and 2 user groups still to go. So far it’s been very positive experience and I was able to capture a fair bit of feedback. Along the way I got interesting questions from both attendees and fellow presenters. Today I’m going to answer one of the most common which is “How to securely access Sql Database/Sql Datawarehouse/Cosmos DB from Azure when ‘Allow access to Azure services’ option is disabled?

Top 10 wishlist for security in Azure

Taking opportunity just before #MSBuild2018 kicks off here is my wishlist for security improvements that I’d like to see in Azure: Azure Sql Managed Instance GA announcement Azure Sql Auditing native support in Log Analytics VNET service endpoints support for hybrid scenarios VNET service endpoints support for multi-region servers Azure Sql DB/DW native VNET support Azure Sql Datawarehouse Always Encrypted Soft-Delete support in portal for Key Vault Always Encrypted Secure Enclaves Azure Confidential Computing Practical use cases for blockchain in context of InfoSec and of course - Quantum Commuting which always goes up to 11.

Last Geo-Backup in Azure Sql DW

DR in Azure Sql DW Key component of Disaster Recovery Plan for Azure Sql DataWarehouse is a Geo-Backup Policy that must be enabled and working. Geo-Backup Azure Sql Datawarehouse uses simple recovery model and special storage level backups (consistent across multiple nodes) are taken every 4-8h. Backup history is stored in sys.pdw_loader_backup_runs DMV. Minimum once a day backup is copied to paired region so RPO is 24h assuming that Geo-Backup actually works.