Deploy on Azure
Seamlessly integrate DB Audit with your Azure infrastructure. Native support for Azure SQL, Managed Identity authentication, and Azure Monitor for comprehensive database auditing.
Azure Integration Features
Azure SQL & Managed Instance
Native integration with Azure SQL Database, SQL Managed Instance, and Cosmos DB with built-in audit log capture.
Managed Identity Authentication
Passwordless authentication using Azure Managed Identity. No secrets to manage or rotate.
Azure Monitor Integration
Stream audit events to Azure Monitor, Log Analytics, and integrate with Azure Sentinel for security analytics.
Prerequisites
- Azure subscription with appropriate permissions
- Azure SQL Database or SQL Managed Instance to monitor
- Permissions to create Managed Identities and role assignments
- Virtual Network with appropriate Network Security Groups
- Azure CLI installed locally (optional, for deployment)
Azure Configuration Reference
| Setting | Type | Required | Description |
|---|---|---|---|
| azure_subscription_id | string | Yes | Azure subscription ID containing your resources |
| azure_tenant_id | string | Yes | Azure Active Directory tenant ID |
| azure_client_id | string | No | Service principal client ID (if not using Managed Identity) |
| managed_identity | boolean | No | Use system-assigned managed identity (default: true) |
| sql_servers | array | Yes | List of Azure SQL server names to monitor |
| log_analytics_workspace_id | string | No | Log Analytics workspace ID for audit logs |
| key_vault_name | string | No | Key Vault name for storing secrets |
| storage_account | string | No | Storage account for audit log backup |
Deployment Steps
Create Managed Identity
Create a user-assigned managed identity and assign the necessary Azure RBAC roles.
Create Identity and Assign Roles
# Create a user-assigned managed identity
az identity create \
--name dbaudit-identity \
--resource-group dbaudit-rg \
--location eastus
# Get the identity principal ID
IDENTITY_PRINCIPAL_ID=$(az identity show \
--name dbaudit-identity \
--resource-group dbaudit-rg \
--query principalId -o tsv)
# Assign roles to the managed identity
az role assignment create \
--assignee $IDENTITY_PRINCIPAL_ID \
--role "SQL DB Contributor" \
--scope /subscriptions/{subscription-id}/resourceGroups/dbaudit-rg
az role assignment create \
--assignee $IDENTITY_PRINCIPAL_ID \
--role "Log Analytics Contributor" \
--scope /subscriptions/{subscription-id}/resourceGroups/dbaudit-rgCustom Role Definition (Optional)
{
"Name": "DB Audit Collector",
"Description": "Custom role for DB Audit collector to access Azure SQL and monitoring resources",
"Actions": [
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/auditingSettings/read",
"Microsoft.Sql/servers/databases/auditingSettings/read",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.KeyVault/vaults/secrets/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/{subscription-id}"
]
}Configure DB Audit
Create your DB Audit configuration file with Azure-specific settings.
# /etc/dbaudit/azure-config.yaml
provider: azure
azure:
subscription_id: ${AZURE_SUBSCRIPTION_ID}
tenant_id: ${AZURE_TENANT_ID}
# Use managed identity (recommended)
managed_identity: true
# Or use service principal
# client_id: ${AZURE_CLIENT_ID}
# client_secret: ${AZURE_CLIENT_SECRET}
# SQL servers to monitor
sql_servers:
- name: prod-sql-server
resource_group: production-rg
databases:
- production-db
- analytics-db
- name: staging-sql-server
resource_group: staging-rg
databases:
- staging-db
# Log Analytics integration
log_analytics:
workspace_id: ${LOG_ANALYTICS_WORKSPACE_ID}
workspace_key: ${LOG_ANALYTICS_KEY}
# Key Vault for secrets
key_vault:
name: dbaudit-keyvault
secret_name: db-credentials
# Storage for audit log backup
storage:
account_name: dbauditstorageacct
container_name: audit-logs
collector:
log_level: info
buffer_size: 1000
flush_interval: 10sDeploy the Collector
Choose your preferred deployment method: Azure Container Instances, AKS, or VMs with Docker.
Option A: Bicep Template
// DB Audit Azure infrastructure - Bicep template
param location string = resourceGroup().location
param dbauditApiKey string
// User-assigned managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: 'dbaudit-identity'
location: location
}
// Log Analytics workspace
resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: 'dbaudit-logs'
location: location
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 90
}
}
// Key Vault for secrets
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: 'dbaudit-kv-${uniqueString(resourceGroup().id)}'
location: location
properties: {
tenantId: subscription().tenantId
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
secrets: ['get', 'list']
}
}
]
}
}
// Store DB Audit API key in Key Vault
resource apiKeySecret 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
parent: keyVault
name: 'dbaudit-api-key'
properties: {
value: dbauditApiKey
}
}
// Container Instance for DB Audit collector
resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {
name: 'dbaudit-collector'
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
containers: [
{
name: 'dbaudit-collector'
properties: {
image: 'dbaudit/collector:latest'
resources: {
requests: {
cpu: 1
memoryInGB: 2
}
}
environmentVariables: [
{
name: 'AZURE_TENANT_ID'
value: subscription().tenantId
}
{
name: 'AZURE_SUBSCRIPTION_ID'
value: subscription().subscriptionId
}
{
name: 'LOG_ANALYTICS_WORKSPACE_ID'
value: logAnalytics.properties.customerId
}
]
}
}
]
osType: 'Linux'
restartPolicy: 'Always'
}
}
output managedIdentityPrincipalId string = managedIdentity.properties.principalId
output logAnalyticsWorkspaceId string = logAnalytics.properties.customerId
output keyVaultName string = keyVault.nameOption B: Docker on Azure VM
# Deploy DB Audit collector on Azure VM
# Pull and run the collector with managed identity
docker run -d \
--name dbaudit-collector \
--restart unless-stopped \
-e DBAUDIT_API_KEY=${DBAUDIT_API_KEY} \
-e AZURE_TENANT_ID=${AZURE_TENANT_ID} \
-e AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID} \
-e AZURE_USE_MSI=true \
-v /var/lib/dbaudit:/data \
dbaudit/collector:latest \
--config /etc/dbaudit/azure-config.yamlOption C: Azure Kubernetes Service (AKS)
# Deploy DB Audit collector on AKS
# Create namespace
kubectl create namespace dbaudit
# Create secret for API key
kubectl create secret generic dbaudit-credentials \
--from-literal=api-key=${DBAUDIT_API_KEY} \
-n dbaudit
# Install using Helm with Azure configuration
helm install dbaudit-collector dbaudit/collector \
--namespace dbaudit \
--set provider=azure \
--set azure.useManagedIdentity=true \
--set azure.subscriptionId=${AZURE_SUBSCRIPTION_ID} \
--set azure.tenantId=${AZURE_TENANT_ID} \
--set apiKeySecretName=dbaudit-credentialsVerify Deployment
Confirm your collector is running and connected to your Azure resources.
Architecture Overview
Azure Deployment Architecture
Security Best Practices
Use Managed Identity
Always use Managed Identity instead of service principal secrets. No credentials to manage, rotate, or secure.
Enable Private Endpoints
Use Azure Private Endpoints for SQL Database and Key Vault to keep traffic on the Azure backbone network.
Store Secrets in Key Vault
Never store database credentials in configuration files. Use Azure Key Vault with automatic rotation.
Apply Network Security Groups
Restrict inbound and outbound traffic to only what the collector needs. Block public internet access.
Enable Azure Defender for SQL
Combine DB Audit with Azure Defender for SQL for advanced threat protection and vulnerability assessment.
Use Custom RBAC Roles
Create custom roles with least-privilege permissions instead of using built-in Contributor roles.
Troubleshooting
Managed Identity authentication fails
Verify the managed identity is assigned to the compute resource (VM, ACI, AKS). Check that role assignments are at the correct scope (subscription, resource group, or resource level).
Cannot connect to Azure SQL Database
Ensure the collector IP is allowed in the SQL server firewall or use a Private Endpoint. Verify the managed identity has db_datareader permissions on the database.
Log Analytics data not appearing
Check the workspace ID and key are correct. Verify the managed identity has Log Analytics Contributor role. Data may take 5-10 minutes to appear.
Key Vault access denied
Verify the managed identity has Get and List permissions on secrets in the Key Vault access policies or Azure RBAC.
Container Instance fails to start
Check the Azure Container Instance logs for startup errors. Verify the image can be pulled and environment variables are set correctly.
Ready to Deploy on Azure?
Get started with DB Audit on Azure in minutes. Our team can help you design the optimal architecture for your environment.