Microsoft DP-300 - Administering Relational Databases on Microsoft Azure

Manage database access by adding users to the database, or allowing user access with secure connection strings.

Database-level firewall rules only apply to individual databases.

To configure high availability for dbl, you can use the failover groups feature of Azure SQL Database.  Failover groups allow you to manage the repl ication and failover of a group of databases across different regions with the same connection strings 1 . You can choose all, or a subset of, user databases in a logical server to be replicated to another logical server in a different region. You can also specify the failover policy, such as manual or automatic, and the grace period for data loss.

Here are the steps to create a failover group for dbl:

Using the Azu re portal:

Go to the Azure portal and select your Azure SQL Database server that hosts dbl.

Select Failover groups in the left menu and click on Add group.

Enter a name for the failover group and select a secondary region that is different from the primary region.

Click on Create a new server and enter the details for the secondary server, such as server name, admin login, password, and subscription.

Click on Select existing database(s) and choose dbl from the list of databases on the primary server.

Click on Configure failover policy and select the failover mode, grace period, and read-write failover endpoint mode according to your preferences.

Click on Create to create the failover group and start the replication of dbl to the secondary server.

Using Pow erShell commands:

Install the Azure PowerShell module and log in with your Azure account.

Run the following command to create a new server in the secondary region:  New-AzSqlServer -ResourceGroupName < your-resource-group-name > -ServerName < your-secondary-server-name > -Location " < secondary-region-name > " -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList " < your-admin-login > " , $(ConvertTo-SecureString -String " < your-password > " -AsPlainTe xt -Force))

Run the following command to create a new failover group with dbl:  New-AzSqlDatabaseFailoverGroup -ResourceGroupName < your-resource-group-name > -ServerName < your-primary-server-name > -PartnerResourceGroupName < your-resource-group-name > -Partner ServerName < your-secondary-server-name > -FailoverGroupName < your-failover-group-name > -Database dbl -FailoverPolicy < manual-or-automatic > -GracePeriodWithDataLossHours < grace-period-in-hours > -ReadWriteFailoverEndpoint " < enabled-or-disabled > "

You can modif y the parameters of the command according to your preferences, such as the failover policy, grace period, and read-write failover endpoint mode.

These are the steps to create a failover group for dbl

To enable change data capture (CDC) for db1, you need to run the stored procedure sys.sp_cdc_enable_db in the database context.  CDC is a feature that records activity on a datab ase when tables and rows have been modified 1 .  CDC can be used for various scenarios, such as data synchronization, auditing, or ETL processes 2 .

Here are the steps to enable CDC for db1:

Connect to db1 using SQL Server Management Studio, Azure Data Studio, or any other tool that supports Transact-SQL statements.

Open a new q uery window and run the following command:  EXEC sys.sp_cdc_enable_db; GO

This command will enable CDC for the database and create the cdc schema, cdc user, metadata tables, and other system objects for the database 3 .

To verify that CDC is enabled for db1, you can query the is_cdc_enabled column in the sys.databases catalog view. The value should be 1 for db1.

These are the steps to enable CDC for db1

To configure your user account as the Azure AD admin for the server named sql3700689S, you can use the Azure portal or the Azure CLI. Here are the steps for both methods:

Using the Azure portal:

Go to the Azure portal and select  SQL Server – Azure Arc .

Select the server named  sql3700689S  and click on  Active Directory admin .

Click on  Set admin  and choose your user account from the list of Azure AD users.

Click on  Select  and then  Save  to confirm the change.

You can verify the Azure AD admin by clicking on  Active Directory admin  again and checking the current admin.

Using the Azure CLI:

Install the Azure CLI and log in with your Azure account.

Run the following command to get the object ID of your user account:  az ad user show --id < your-user-name > --query objectId -o tsv

Run the following command to set your user account as the Azure AD admin for the server:  az sql server ad -admin create --server sql3700689S --object-id < your-object-id > --display-name < your-user-name >

You can verify the Azure AD admin by running the following command:  az sql server ad-admin show --server sql3700689S

These are the steps to configure your user account as the Azure AD admin for the server named sql3700689S.

To configure sq1370O6895 to support the creation of new database users from Azure AD identities, you need to do the following steps:

Set up a Microsoft Entra tenant and associate it with your Azure subscription.  You can use the Microsoft Entra portal or the Azure portal to create and manage your Microsoft Entra users and groups 1 2 .

Configure a Microsoft Entra admin for sq1370O6895.  You can use the Azure portal or the Azure CLI to set a Microsoft Entra user as the ad min for the server 3 4 .  The Microsoft Entra admin can create other database users from Microsoft Entra identities 5 .

Connect to db1 using the Microsoft Entra admin account and run the following Transact-SQL statement to create a new database user from a Microsoft Entra identity:  CREATE USER [Microsoft Entra user name] FROM EXTERNAL PROVIDER; 6  You can replace the Microsoft Entra user name with the name of the user or group that you want to create in the database.

Grant the appropriate permissions to the new database user by adding them to a database role or granting them specific privileges. For example, you can run the following Transact-SQL statement to add the new user to the db_datareader role:  ALTER ROLE db_datareader ADD MEMBER [Microsoft Entra user name];

These are the steps to configure sq1370O6895 to support the creation of new database users from Azure AD identities.

To enable page compression on the PK_SalesOrderHeader_SalesOrderlD clustered index of th e SalesLT.SalesOrderHeader table in db1, you can use the following Transact-SQL script:

-- Connect to the Azure SQL database named db1

USE db1;

GO

-- Enable page compression on the clustered index

ALTER INDEX PK_SalesOrderHeader_SalesOrderlD ON SalesLT.SalesOrderHeader

REBUILD WITH (DATA_COMPRESSION = PAGE);

GO

This script will rebuild the clustered index with page compression, which can reduce the st orage space and improve the query performance

The script solution consists of three parts:

The first part is  USE db1; GO . This part connects to the Azure SQL database named db1, where the SalesLT.SalesOrderHeader table is located. The  GO  command separate s the batches of Transact-SQL statements and sends them to the server.

The second part is  ALTER INDEX PK_SalesOrderHeader_SalesOrderlD ON SalesLT.SalesOrderHeader REBUILD WITH (DATA_COMPRESSION = PAGE); GO . This part enables page compression on the clustered index named PK_SalesOrderHeader_SalesOrderlD, which is defined on the SalesLT.SalesOrderHeader table. The  ALTER INDEX  statement modifies the properties of an existing index. The  REBUILD  option rebuilds the index from scratch, which is required to change the compression setting. The  DATA_COMPRESSION = PAGE  option specifies that page compression is applied to the index, which means that both row and prefix compression are used. Page compression can reduce the storage space and improve the query perf ormance by compressing the data at the page level. The  GO  command ends the batch of statements.

The third part is optional, but it can be useful to verify the compression status of the index. It is  SELECT name, index_id, data_compression_desc FROM sys.inde xes WHERE object_id = OBJECT_ID( ' SalesLT.SalesOrderHeader ' ); . This part queries the sys.indexes catalog view, which contains information about the indexes in the database. The  SELECT  statement returns the name, index_id, and data_compression_desc columns f or the indexes that belong to the SalesLT.SalesOrderHeader table. The  OBJECT_ID  function returns the object identification number for the table name. The data_compression_desc column shows the compression type of the index, which should be PAGE for the clu stered index after the script is executed.

These are the steps of the script solution for enabling page compression on the clustered index of the SalesLT.SalesOrderHeader table in db1.

To ensure that all queries executed against dbl are captured in the Query Store, you need to enable the Query Store feature for the database and set the query capture mode to ALL.  The Query Store feature provides you with insight on query plan choice and performance for Azure SQL Database 1 .  The query capture mode controls whether all queries or only a subset of quer ies are tracked 2 .

Here are the steps to enable the Query Store and set the query capture mode to ALL for the database dbl:

Using the Azure portal:

Go to the Azure portal and select your Azure SQL Database server.

Select the database dbl and click on Query Performance Insight in the left menu.

Click on Configure Query Store and turn on the Query Store switch.

In the Query Capture Mode dropdown, select All and click on Save.

Using Transact-SQL statements:

Connect to the Azure SQL Database server and the database dbl using SQL Server Management Studio or Azure Data Studio.

Run the following command to enable the Query Store f or the database:  ALTER DATABASE dbl SET QUERY_STORE = ON;

Run the following command to set the query capture mode to ALL for the database:  ALTER DATABASE dbl SET QUERY_STORE (QUERY_CAPTURE_MODE = ALL);

These are the steps to ensure that all queries execute d against dbl are captured in the Query Store.

To ensure that db1 is compatible with all the features and syntax of SQL Server 2012, you need to set the compatibility level of the database to 110, which is the compatibility level for SQL S erver 2012 1 .  The compatibility level affects the behavior of certain Transact-SQL statements and features, and determines how the database engine interprets the SQL code 2 .

You can set the compatibility level of db1 by using the Azure portal or Transact-SQL statements. Here are the steps for both methods:

Using the Azure portal:

Go to the Azure portal and select your Azure SQL Database server that hosts db1.

Select the database db1 and click on Query Performance Insight in the left menu.

Click on Configure Query Store and select 110 from the Compatibility level dropdown list.

Click on Save to apply the change.

Using Transact-SQL statements:

Connect to db1 using SQL Server Management Studio, Azure Data Studio, or any other tool that supports Transact-SQL statements.

Open a new query window and run the follow ing command:  ALTER DATABASE db1 SET COMPATIBILITY_LEVEL = 110; GO

This command will set the compatibility level of db1 to 110, which is equivalent to SQL Server 2012.

These are the steps to set the compatibility level of db1 to 110. 

SQL injection attacks are a type of cyberattack that exploit a vulnerability in the application code that interacts with the database.  An attacker can inject malicious SQL statements into the user input, such as a form field or a URL parameter, and execute them on the databas e server, resulting in data theft, corruption, or unauthorized access 1 .

To protect all the databases on sql37006S95 from SQL injection atta cks, you need to follow some best practices for securing your application and database layers. Here are some of the recommended steps:

Use parameterized queries or stored procedures to separate the SQL code from the user input.  This will prevent the user input from being interpreted as part of the SQL statement and avoid SQL injection 2 3 .

Validate and sanitize the user input before passing it to the database.  This will ensure that the input conforms to the expected format and type, and remove any potentia lly harmful characters or keywords 4 .

Implement least privilege access for the database users and roles.  This will limit the permissions and actions that the application can perform on the database, and reduce the impact of a successful SQL injection attack 5 .

Enable Advanced Threat Protection for Azure SQL Database. This is a feature that detects and alerts you of anomalous activities and potential threats on yo ur database, such as SQL injection, brute force attacks, or unusual access patterns. You can configure the alert settings and notifications using the Azure portal or PowerShell.

These are some of the steps to protect all the databases on sql37006S95 from S QL injection attacks.

To configure a disaster recovery solution for db1, you can use the failover groups feature of Azure SQL Database.  Failover groups allow you to manage the replication and failover of a group of databases across different regions with the same connection strings 1 .  You can also use active geo-replication as an alternative, but you will need to update the connection strings manually after a failover 2 .

Here are the steps to create a failover group for db1 with the secondary server in the West US 3 region:

Using the Azure portal:

Go to the Azure portal and select your Azure SQL Database server that hosts db1.

Select Failover groups in the left menu and click on Add group.

Enter a name for the failover group and select West US 3 as the secondary region.

Click on Create a new server and enter the details for the secondary server, such as server name, admin login, password, and subscription.

Click on Select existing database(s) and choose db1 from the list of databases on the primary server.

Click on Configure failover policy and select the failover mode, grace period, and read-write failover endpoint mode according to your preferences.

Click on Create to create the failover group and start the replication of db1 to the secondary server.

Using PowerShell commands:

Install the Azure PowerShell module and log in with your Azur e account.

Run the following command to create a new server in the West US 3 region:  New-AzSqlServer -ResourceGroupName < your-resource-group-name > -ServerName < your-secondary-server-name > -Location " West US 3 " -SqlAdministratorCredentials $(New-Object -Typ eName System.Management.Automation.PSCredential -ArgumentList " < your-admin-login > " , $(ConvertTo-SecureString -String " < your-password > " -AsPlainText -Force))

Run the following command to create a new failover group with db1:  New-AzSqlDatabaseFailoverGroup - ResourceGroupName < your-resource-group-name > -ServerName < your-primary-server-name > -PartnerResourceGroupName < your-resource- group-name > -PartnerServerName < your-secondary-server-name > -FailoverGroupName < your-failover-group-name > -Database db1 -FailoverPo licy Manual -GracePeriodWithDataLossHours 1 -ReadWriteFailoverEndpoint " Enabled "

You can modify the parameters of the command according to your preferences, such as the failover policy, grace period, and read-write failover endpoint mode.

These are the steps to create a failover group for db1 with the secondary server in the West US 3 region.