THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Jamie Thomson

This is the blog of Jamie Thomson, a freelance data mangler in London

FYI: A new barrier to SQL Azure adoption

On their recent blog post Updated CTP for SQL Azure Database includes complete feature set for PDC 2009! the SQL Azure team outlined a new feature:

Firewall Support – The new firewall features allows a customer to specify an allow list of IP address that can access their SQL Azure Server. Security is a concern for companies looking at storing data in the cloud and with this new feature you can rest assured that only hosts you specify will be allowed to connect.

To clarify, we are able to specify an IP address range rather than just a single IP address.

Now this is all well and good, a cautious approach to security in cloud computing is to be commended. It does raise a rather large issue for developers though because we now need to know what our IP address is and the reality is that sometimes we simply don't know. I contacted my internet service provider (SKY Broadband in the UK) and asked the following:

I wish to use a 3rd party service that requires me to tell them what IP range my IP address will be in. I do not have a fixed IP address provided by SKY hence please could you tell me what IP range the IP address that you assign to me will be in?

Their reply:

I am afraid that we cannot provide this information, as it is business sensitive.
If you have an online service that requires this information, then they should be contacting us on your behalf, using the correct channels, in order to obtain this information.

Hmmm...this means I cannot connect to SQL Azure from my house and that, for me, is a huge problem. I have informed the SQL Azure team about this via a post on the SQL Azure forum and am waiting to see what their course of action will be. As an interim measure the submission screen for the IP addresses will tell you what your current IP address is although obviously, given that IP addresses change, this is not a long term solution.

Watch this space.

@JamieT

Published Monday, October 26, 2009 4:37 PM by jamiet
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Stuart Preston said:

According to this blog post (http://www.digitalspy.co.uk/forums/showthread.php?t=981231) Sky uses CIDR 90.192.0.0/11 (90.192.0.0-90.223.255.255).

Stuart.

October 26, 2009 11:05 AM
 

Alex said:

I have to deal with this all the time with many services I develop.  If you go to http://www.whatismyip.com/, you can see your IP and then go into the property page for your firewall and add it.  Unless, of course, you can't have multiple IP address ranges within the Azure firewall which would be insane...

October 26, 2009 12:28 PM
 

Brad said:

I bet you could use a dynamic-dns style approach to solving this, if they give you an API to muck w/ the firewall rules.

October 27, 2009 3:30 PM
 

Bubba said:

I can't decide who is more ignorant, the OP or the tech support guys.  I'd have to go with the latter, while I would expect a developer to understand how to find their external IP address, the response from the ISP tech support is deliberately obtuse.

October 28, 2009 11:13 AM
 

jamiet said:

Bubba,

Is the absence of knowledge an indicator of ignorance?

I fully admit I didn't know how to find out my external IP address (I do now thanks to the commenters above), does that lack of knowledge qualify me as being "ignorant"? I hope not, because if not knowing stuff qualifies you as being ignorant then I'm the most ignorant person I know! I find the accusation a little insulting I must say.

Besides, the main issue here is not knowing what my IP address is right now, the issue is knowing what it *might* be in the future.

-Jamie

October 28, 2009 3:46 PM
 

AaronBertrand said:

>> Besides, the main issue here is not knowing what my IP address is right now, the issue is knowing what it *might* be in the future.

Hear hear!  Who wants to be mucking with firewall rules every time your ISP decides to give you a new leased address?

October 28, 2009 7:09 PM
 

Luciano Evaristo Guerche (Gorše) said:

Jamie,

If I were on Azure team I'd better bet on digital certificates instead 'cause ip addresses might be spoofed.

October 29, 2009 8:43 AM
 

califguy4christ said:

Use something like http://www.ipchicken.com/ to determine your external IP, then configured the firewall on the fly with your discovered IP for both the start of the range and the end of the range.

The biggest disadvantage is that your IP may change on a DHCP enabled ISP, however, you'll still have internet access to update the firewall rule at the SQL Azure website.

The most difficult scenario is where your company might send HTTP (port 80) traffic out of one interface (which a site like IP Chicken would use to discover your IP), and might send all other traffic (like SQLCMD on port 1433) over a different IP, which is much harder to detect unless you can see firewall logs on the receiving side of your connection.

October 29, 2009 12:30 PM
 

Bart Czernicki said:

I have dealt with this as well.  Luckily, I have a dedicated server for my dev projects and that has a static outbound IP that I use...so, I just remote into that box for testing etc.

October 31, 2009 9:02 PM
 

Chris Leonard said:

If you really develop services for the Web, in my opinion it's worth the $10 per month to get a static IP.  Your mileage may vary, but for this price I never have to bother with DynDNS and its occasional flakiness, nor do I have to worry about my IP changing.  I wonder if SKY can sell you a static IP?

Cheers,

Chris

November 1, 2009 2:05 PM
 

Bob said:

This is why people pay for ADSL with static IPs.  Access by IP is a common restriction on many services. Blaming Azure for your poor choice of ISP is a bit ridiculous.  Also for the most part you are going to be connecting to SQL from your web/app server which will be on a fixed IP or Azure.

November 2, 2009 7:03 AM
 

jamiet said:

Bob,

My understanding is that a fixed IP would cost me more money. If I need to purchase one then I will. I don't understand why this constitutes a poor choice of ISP and nor am I blaming SQL Azure, I am simply highlighting the issues so that others are aware of them.

Yes, I will mostly be connecting from a fixed IP, this blog post is providing info for those occasions where that is not the case.

-Jamie

November 2, 2009 7:13 AM
 

Ashley said:

Linux to the rescue...

Each ISP is generally allocated a number of IP ranges that they allocate and rotate to their customers. If you lookup your external IP using any of the above methods then run the linux command:

whois <IP Address>

The response will contain the IP range (labelled inetnum) that the source IP belongs to.

Or you can use online services like http://cqcounter.com/whois/ to return the whois of an IP address.

November 10, 2009 10:41 PM
 

jamiet said:

To all the people leaving comments telling me how to get my IP address, thanks, but that is not the real issue here (perhaps I didn't explain this well enough in the post).

The real issue is that my IP address can and will change and I don't want to have to go and mess about with IP settings on a semi-regular basis.

-Jamie

November 13, 2009 4:17 AM

Leave a Comment

(required) 
(required) 
Submit

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement