So a current problem is that we inherited many machines that have total of about 500 application exe's. We are physically moving and have realized that someone had not saved source code and there are too many application to identify and re-write.
Issue statement: hundreds of machines are sending request to SQL Server with user sa and a BLANK PASSWORD 🙁 and for the move we are setting up everything in Azure Cloud. Azure SQL enforces password policy on VM (IaaS) etc.. I want to INTERCEPT and TRANSFORM any application that is trying to connect with using some type of PROXY layer ..
I was looking at Node Proxy stuff, and SQL server alias etc.. but it seems that what I want to do is this
Proxy Server machine
--> 500 incoming SQL Server connections
--> Server \\XSQL2
--> User "sa"
--> Password ""
So
<add key="conn" value="data source=XSQL2; initial catalog=SomeDB;uid=sa;pwd=" />
but then for the Proxy to handle delegating the translation to Azure and sending (replacing) with
<add key="conn" value="data source=myclouddbs.westus.cloudapp.azure.com,1433; initial catalog=SomeDB;uid=myUser;pwd=MyPassword123" />
Am I making any sense at all?
Best Answer
You have a bigger problem than just using a proxy.
If you have to use SQL SA account with a blank password, you should avoid exposing your SQL server to the internet at all costs. running behind a proxy will not make things better, your better option is to use VPN Site-to-Site or filter IP address access to the VPN using Network Security Groups (NSG).
You can bypass this by installing a VM and your copy of SQL. You can get most of the Azure VM with SQL functionality by installing the needed extensions.
References:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-site-to-site-create https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-server-agent-extension