🔒 Security Configuration Wizard¶
📋 Overview¶
Interactive security configuration wizard for Azure Synapse Analytics. Step-by-step guidance for implementing security best practices including network isolation, encryption, authentication, and access control.
Duration: 45-60 minutes | Format: Step-by-step wizard | Prerequisites: Security and compliance understanding
🎯 Learning Objectives¶
- Configure network security (Private Link, Firewalls, VNets)
- Implement authentication and authorization
- Set up encryption at rest and in transit
- Configure audit logging and monitoring
- Apply security best practices
- Generate security compliance reports
🚀 Security Configuration Wizard¶
Step 1: Network Security¶
const networkSecurityWizard = {
steps: {
privateLink: {
title: 'Configure Private Link',
options: {
enabled: true,
privateEndpoints: [
{ resource: 'Synapse Workspace', subnet: 'synapse-subnet' },
{ resource: 'Dedicated SQL Pool', subnet: 'sql-subnet' },
{ resource: 'Data Lake', subnet: 'storage-subnet' }
]
},
validation: 'Verify private DNS configuration'
},
firewall: {
title: 'Configure Firewall Rules',
rules: [
{ name: 'AllowAzureServices', start: '0.0.0.0', end: '0.0.0.0' },
{ name: 'CorporateNetwork', start: '10.0.0.0', end: '10.255.255.255' }
]
},
managedVnet: {
title: 'Enable Managed Virtual Network',
enabled: true,
allowedOutbound: ['Azure Services', 'Approved third-party']
}
}
};
Step 2: Authentication Setup¶
const authenticationConfig = {
azureAD: {
enabled: true,
adminUsers: ['admin@contoso.com'],
adminGroups: ['SynapseAdmins'],
mfa: true
},
sqlAuthentication: {
enabled: false, // Recommended: Use only AAD
passwordPolicy: {
minLength: 12,
complexity: true,
expiration: 90
}
},
managedIdentity: {
systemAssigned: true,
userAssigned: []
}
};
Step 3: Access Control (RBAC)¶
const rbacConfiguration = {
workspaceLevel: [
{
role: 'Synapse Administrator',
principals: ['SynapseAdmins@contoso.com'],
scope: '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Synapse/workspaces/{ws}'
},
{
role: 'Synapse Contributor',
principals: ['DataEngineers@contoso.com']
},
{
role: 'Synapse Reader',
principals: ['Analysts@contoso.com']
}
],
sqlPoolLevel: [
{
database: 'AnalyticsDB',
role: 'db_datareader',
principals: ['ReportingTeam@contoso.com']
}
],
dataLakeLevel: [
{
container: 'raw-data',
role: 'Storage Blob Data Reader',
principals: ['DataScientists@contoso.com']
}
]
};
Step 4: Encryption Configuration¶
const encryptionConfig = {
atRest: {
method: 'Customer-Managed Keys',
keyVault: 'https://mykv.vault.azure.net',
keyName: 'synapse-encryption-key',
autoRotation: true
},
inTransit: {
tlsVersion: '1.2',
enforceSSL: true
},
transparentDataEncryption: {
enabled: true,
dedicatedSQLPools: ['ProductionDW', 'AnalyticsDW']
}
};
Step 5: Auditing and Monitoring¶
const auditingConfig = {
diagnosticSettings: {
name: 'SecurityAudit',
logCategories: [
'SQLSecurityAuditEvents',
'SynapseRbacOperations',
'GatewayApiRequests',
'BuiltinSqlReqsEnded'
],
destinations: {
logAnalytics: {
workspaceId: '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/SecurityLogs'
},
storageAccount: {
accountId: '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/auditlogs'
}
}
},
alerts: [
{
name: 'UnauthorizedAccess',
condition: 'Unauthorized data access attempts',
severity: 'High',
notificationEmail: 'security@contoso.com'
},
{
name: 'PrivilegeEscalation',
condition: 'Role assignment changes',
severity: 'Critical'
}
]
};
📋 Security Checklist¶
Compliance Validation¶
const securityChecklist = {
network: [
{ item: 'Private Link enabled', status: 'complete', critical: true },
{ item: 'Firewall rules configured', status: 'complete', critical: true },
{ item: 'Managed VNet enabled', status: 'pending', critical: false }
],
identity: [
{ item: 'Azure AD authentication enabled', status: 'complete', critical: true },
{ item: 'SQL authentication disabled', status: 'complete', critical: true },
{ item: 'MFA enforced', status: 'complete', critical: true }
],
authorization: [
{ item: 'RBAC roles assigned', status: 'complete', critical: true },
{ item: 'Least privilege principle applied', status: 'pending', critical: true }
],
encryption: [
{ item: 'TDE enabled', status: 'complete', critical: true },
{ item: 'Customer-managed keys configured', status: 'complete', critical: false },
{ item: 'TLS 1.2+ enforced', status: 'complete', critical: true }
],
monitoring: [
{ item: 'Audit logs enabled', status: 'complete', critical: true },
{ item: 'Security alerts configured', status: 'complete', critical: true },
{ item: 'Log Analytics integration', status: 'complete', critical: false }
]
};
🔧 Troubleshooting¶
Common Security Issues¶
Issue: Private Link Connection Failed
# Verify private endpoint status
az network private-endpoint show \
--name synapse-pe \
--resource-group myRG
# Check DNS resolution
nslookup myworkspace.sql.azuresynapse.net
# Should resolve to private IP (10.x.x.x)
Issue: Access Denied Errors
-- Check user permissions
SELECT
pr.principal_id,
pr.name AS principal_name,
pr.type_desc,
pe.permission_name,
pe.state_desc
FROM sys.database_principals pr
LEFT JOIN sys.database_permissions pe ON pr.principal_id = pe.grantee_principal_id
WHERE pr.name = 'user@contoso.com';
🔗 Embedded Demo Link¶
Launch Security Wizard: https://demos.csa-inabox.com/security-wizard
📚 Additional Resources¶
💬 Feedback¶
💡 Was the security wizard helpful?
- ✅ Secured my workspace - Share success
- ⚠️ Security gaps - Report issue
Last Updated: January 2025 | Version: 1.0.0