Deploy Azure MySQL Flexible Server using Private End-Points (Manual)
In this manual I am going to show you how to deploy Azure MySQL Flexible Server with data encryption enabled using a Service Managed Keys (SMK) for data at rest encryption.
What is Azure MySQL Flexible Server?
Azure Database for MySQL Flexible Server is a fully managed Azure database service designed for more granular control and flexibility over database management functions and configuration settings. With Flexible server the you get the option to decide which availability options you want to use. Is it a single server, redundant setup or even Zone redundant setup? This includes Geo Redundant Backup storage. Last but not least we can setup replication to a Flexible server in a different Geo location.
One of the main advantages of a managed service is that Microsoft Performs automated patching of the underlying hardware, OS and database engine making your server secure and up to date.
Currently MySQL Flexible server support MySQL 5.7 and 8.0. With an end of Life of October 21 – 2023, I recommend not to use version 5.7 anymore unless you temporary need it for migration purposes.
STEP 1: Create managed identity
First step we need to take is to create a managed Identity. This identity will be used by the MySQL Flexible server for authentication to the KeyVault, which is used to encrypt the data at rest.
Go to Managed Identities and click Create
Give your managed Identity a name and continue with the creation of the identity.
STEP 2: Create Key vault Datacenter 1 (West Europe)
For this manual I will use the West Europe and North Europe Datacenters. These key vaults will be accessed by the Managed Identity. Important for the use of data at rest is to Enable purge protection. If you do not enable this option, deployment of the Azure MySQL Flexible server will fail.
On the next page make sure to select Vault access policy. At this time of writing Azure Role-based access control results in an error that the key vault cannot be found when you deploy Azure MySQL Flexible server. Now click on the Create button to grant the Managed Identity the required permissions.
To be able to read the encryption key make sure to select the following permissions:
- Get
- Wrap key
- Unwrap key
As for the principal select the just created managed Identity. In our case: MI-SRV-MYSQL-P01
When complete permissions should look like this. Make sure to grant your own account all permissions to be able to setup the key.
On the Networking page we are going to limit the access to the key vault. I would prefer using a Private End Point, but the Microsoft Documentation requires the use of Public Access from selected networks only and trusted Microsoft Services. Make sure to check the box Allow trusted Microsoft services to bypass this firewall
When ready, review your setup and create the key vault.
STEP 3: Create Key vault Datacenter 2 (North Europe)
Create the key vault in North Europe with the same parameters as specified in step 2
Step 4: Deploy Azure MySQL flexible server
Now we are going to deploy the MySQL Flexible server. Go to Azure Database for MySQL flexible servers. Click on the Create button.
Now give your server your desired name without special characters (Those are not supported). Select a region, MySQL version. Choose a workload and click on Configure Server.
On this page you can choose your compute tier. Burstable tier is for flexible workloads, general and business critical workloads are for production workloads. If you want to use Read Replica’s you can only choose for General Purpose and Business critical compute tier.
Additional IOPS
You can scale your IOPS to optimize the performance of an IO intensive operation. You will be provisioned 1000 free IOPS per server and charged based on the additional IOPS used rounded up to the nearest minute.
Price | |
---|---|
IOPS/month | €0.048 |
Paid IO
Azure Database for MySQL will automatically scale your IOPS depending on the workload without the need for you to manually pre-provision IOPS. This is a cost-effective IO model which charges only for what the workload consumes.
Price | |
---|---|
Paid IO Locally redundant storage (LRS) | €0.190 Per 1 million requests |
Paid IO Zone redundant storage (ZRS) | €0.237 Per 1 million requests |
Select your desired backup retention policy and click save.
Now select an availability zone. If you want to use this machine for Production purposes make sure to select Enable High availability. For creating this manual I choose not to enable high availability. This setting can NOT be changed after the creation of the server, choose wisely :). Last option on this page, select your Authentication method.
On the network tab select Public access and Private endpoint for the connectivity method. Scroll down to Private EndPoint
Click on Add private endpoint. On the new blade give the Private Endpoint a name, select the desired Virtual Network and Subnet and if you want to integrate with a private DNS zone. Click on Save and Next
On the Security tab we are going to configure data encryption. First click on Change identity to select the created identity from Step 1. If you selected Geo Replication you will need to do this twice.
Select the Managed Identity
Now we are going to select a key. Again, you will need to do this twice if Geo replication has been selected.
Now select the key vault for the desired region that we’ve created in step 2. And click on Create new key
Now give the key a name. As key type make sure to select RSA. EC is not supported. For the RSA key size 2048, 3072 and 4096 is supported. Make sure to set the status to Enabled and click Create
Once created, the blade will close and you will have to reselect the key again.
Now select the just created key with a version and click Save
When completed, your overview should look like this:
Now go over the last to tabs and click create. The deployment takes approximately 10-15 minutes.
Troubleshooting / common errors
If you get the following error: Could not find Azure Key Vault Key with key name xxxxx. It means that the Managed Identity does not have the correct permissions. Also make sure that the Key Vault uses Vault Access policies instead of Role Based Access.
If you get the error: The provided Key Vault uri xxxxx is not valid. Please ensure the key vault has been configured with soft-delete and purge protection.
Go to your key vault and go to properties and select Enable purge protection at the bottom of the page.
More information:
https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-data-encryption-troubleshoot