Azure SQL Databases

There are two core models when creating Azure SQL database as PaaS service; DTU and vCore.

DTU is a blend of CPU, Memory, Reads and Writes. A database with 5 DTU will perform better than a database with 1 DTU.

vCore is more robust and feels similar to the on-prem environments. Here you get the option of choosing the Cores.

Databases have varying requirements depending on the workload. Microsoft offers three different instance options;

Single Database deployment

The hosting option create a single database deployment, with dedicated management via an SQL Database server. Being Single, each database is fully isolated and portable across Azure platform.

Single database can also be moved in and out of “elastic pool”, allowing for better resource distribution with multiple database instances.

This instance uses DTU purchasing model for billing. A DTU is the convergence of vCores, RAM and IOPS into a standardized measure for benchmarking and billing database instances. They can be used to figure out the cost by using DTU calculator.

Single instances are best suited to businesses running applications that require a resource guarantee at the database level.

Elastic pool

An elastic pool offers a convenient, cost-effective option for maintaining multiple databases. With multiple databases, there is some unpredictability with how much computational power is needed. For this reason, pooled resources can offer better performance, and value for money.

There are four service tiers but I just looked at two; Serverless and DTU.

Serverless

The serverless compute tier for single database is an autoscaling and auto pause delay service. The cost is summation of compute and storage.

Auto pausing is trigger, if number of sessions = 0 or CPU = 0 for use workload running in the user pool. Auto resuming is triggered when a user login. Auto pausing delay could be 1 hour, max is 7 days.

This is only supported in the General-Purpose tier on Gen5 hardware in vCore purchasing model.

This tier is price-performance optimized with intermittent, unpredictable usage pattern that can afford some delay in compute warm-up after idle usage periods.

DTU (Database Transaction Units)

The most common one is a Single database option. DTU is a blend of CPU, Memory, Reads and Writes and a database having 5 DTUs will perform 5 times better than another database having just 1 DTU.. When selecting DTU, A normal conversation between Developer and IT Pro is;

Developer = I’d like a database server

IT Pro = ok, how much CPU do you need?

Developer = average…whatever the normal is

IT Pro = uh…ok, how many IOPS do you need?

Developer = what’s IOPS?

At the end, either too many or too few resources are provided and no one is happy. DTU take the metrics that determine the performance of a database and mush them together in a measure that we can use to abstract and compare performance.

What should I choose for dev/test?

We may be able to run our dev\test database on the Basic tier (5DTU $5/month) or the Standard S0 tier (10DTU $15/month), or maybe it would make more sense to put them all in a 50DTU elastic pool ($112/month). For production we’ll probably start out with a Standard S3 for our main DB and a Standard S0 or S1 for our auditing DB. Then depending on the loads scale them back or possibly put them in an Elastic Pool together.

The Basic tier is incredibly limited. It’s good for occasional/casual use, and it’s a cheap way to “park” your database when you aren’t using it. But if you’re running any real application, the Basic tier isn’t going to work for you.

The Standard Tier is pretty limited, too, but for small applications it’s capable of meeting your needs. If you have a 2-core server running a handful of databases, then those databases individually might fit into the Standard tier. Similarly, if you have a server with only one database, running 1 CPU core at 100% (or 2 cores running at 50%), it is probably just enough horsepower to tip the scale into the Premium-P1 service tier.

What is DTU? This simple way to understand DTU is;

When we build a SQL server box, we go with CPU count, some amount of RAM, storage configuration for enough IOPS for workload. When you jump to Azure, it’s call DTU. DTU is a blend of CPU, Memory, and Storage (Reads and Writes). A database with 5 DTU will perform better than a database with 1 DTU.

IOPS = Input/Output operations per second (IOPS)

Resources

https://dtucalculator.azurewebsites.net/

https://docs.microsoft.com/en-us/azure/azure-sql/database/serverless-tier-overview

DTU vs vCore in Azure SQL Database

Azure SQL Database Models and pricing

Azure single SQL database is great if we don’t want to build and maintain datacenter infrastructure; management and patching overhead is completely owned by the vendor. This helps the organization and application owners concentrate on just the design-and-usage of the database.

Azure SQL Cost

This is divided into two models;

Azure SQL Deployment models

Azure SQL deployment models determine how to structure the “SQL Server” and its database;

Azure SQL Database and Azure SQL Manage instance are manage service instances.

SQL Server on Azure VMs gives you full control over the SQL Server instance.

Azure SQL Pricing models

Depending on deployment model, there are two purchasing options;

vCore based purchasing model is available for both Azure SQL and SQL Manage instance.

The DTU-based purchasing model is available for Azure SQL database.

To better understand, use Azure pricing calculator.

https://azure.microsoft.com/en-us/pricing/calculator/

Azure SQL Service Tiers

There are two service tiers used by Azure SQL, each with a different architectural model;

A general-purpose tier for common workloads

A business-critical tier for high throughput OLTP applications requiring low latency and high resilience.

A Hyperscale tier for very large OLTP systems with faster auto-scaling, backup and restore support.

Azure SQL Compute Tiers

Under Azure SQL Database deployment option, under the vCore pricing model with General purpose storage, you will see two options;

Provisioned = Azure SQL provides Azure resources that run your database with a fixed amount of compute resources for a fixed hourly price.

Serverless = The database is provisioned as a serverless component with auto-scaling compute and billing for use per second.

Azure SQL VM Cost (IaaS model)

These are dev pricing and Windows Standard, SQL Server (both included)

8 vCPUs, 32GB RAM, 64 GB Temporary storage, $0.384/hour (With standard support = 380.32/month)

Azure SQL Managed instance cost (PaaS model)

Instance = vCore-4, 20GB memory, 736/moth license included

The only difference between these two options is administration and patch management.

Managed Instances have several key features that do not exist in Azure SQL Database most notably among these are:

Cross Database Queries and Transactions;

CLR;

SQL Server Agent, and Database Mail;

Linked Servers;

Service Broker (within the instance);

Multiple Database file groups and files;

Native Azure vNet deployment; and,

Azure Active Directory Integration;

Keep in mind that Azure SQL Managed instance does not offer SQL Server integration services and Reporting Services. You would have to provision Azure Data Factory for SQL Server integration services and Power BI for reporting.

Azure VM for development seems to be cheaper than Azure managed instance by 40%. Choice is yours.

Azure Security and Encryption

Azure Active Directory is used for access controls. Azure AD can be used stand-alone. It offers Single sign-on, MFA, providing identities to services.

Encryption is the process of making data unreadable and unusable to unauthorized viewers. To read encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key to encrypt and decrypt the data.

Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS), used in HTTPS.

By default, Azure encrypt/decrypt file storage data. It’s transparent to the user. Azure SQL Database used Transparent data encryption. It performs real-time encryption/decryption of the database at rest without requiring changes to the application. It’s enabled by default. TDE uses symmetric key called database encryption key. By default, Azure provides a unique encryption key per logical SQL server instance and handles all the details.

Azure key vault is used to keep application secrets.

Azure Security Monitor. Monitoring service that provides threat protection across all of your services. Azure Security Center is offered on Standard tier subscription. It’s $15 per node per month.

Does Azure commercial follow FEDRAMP guidelines?

This is the first question that will always be asked if you are setting up Azure for a client that works with government.

Both Azure and Azure Government uses same security controls. They are accessed and authorized at the FedRAMP high impact level. Azure Government provides an additional layer of protection to customers to screened US persons. This is used to store and process data subject to US export control regulation’s such as EAR, ITAR, and DoE 10 CFR Part 810.

Refer to this Microsoft article for details;

https://azure.microsoft.com/en-us/blog/all-us-azure-regions-now-approved-for-fedramp-high-impact-level/

Take time to see which environments meet your needs.  Many people are surprised at how robust the Azure [commercial] compliance space is.  https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

Resources;

Choosing the right Azure Environment – Should I use the Public or the Government Cloud?