Secure SQL Server and KV with PE

[msalemcode]

Description

This PR introduces several enhancements to improve the security and connectivity of the deployment by adding private endpoints to both KeyVault and SQL Server. The main changes are as follows:

1. Adding Subnets for KeyVault and SQL Server:

   • New subnets have been created specifically for KeyVault and SQL Server to ensure they are isolated and secure.

2. Modifying Database Connection to Use Managed Service Identity (MSI) Only:

   • The database connection has been updated to use MSI exclusively. This change resolves issues related to SSL connections when using private endpoints.

3. Creating New Private Endpoints (PE) and Private DNS Zones (PDNS) for SQL and KeyVault:

   • New private endpoints and private DNS zones have been created for both SQL Server and KeyVault. This ensures that all traffic to these resources remains within the Azure network, enhancing security and performance.

Changes Made

• Subnets Creation: Added new subnets for KeyVault and SQL Server.
• Database Connection Update: Modified the database connection string to use MSI only.
• Private Endpoints and DNS Zones: Created new private endpoints and private DNS zones for SQL Server and KeyVault.

Impact

• Enhanced Security: By using private endpoints and private DNS zones, the resources are more secure as they are not exposed to the public internet.
• Improved Connectivity: The use of MSI for database connections resolves SSL connection issues, ensuring a more reliable and secure connection.
• Network Isolation: The creation of dedicated subnets for KeyVault and SQL Server ensures that these resources are isolated from other network traffic.

Testing

• Verified that the new subnets are correctly created and associated with KeyVault and SQL Server.
• Confirmed that the database connection using MSI works as expected and resolves the SSL connection issue.
• Ensured that the private endpoints and private DNS zones are correctly configured and functional.

Conclusion

This PR significantly enhances the security and reliability of the deployment by adding private endpoints and using MSI for database connections. These changes ensure that the resources are securely isolated and that connections are reliable and secure.

[fthorntonai]

Review In Progress.

• [ Approved] Subnets Creation: Added new subnets for KeyVault and SQL Server.
• [ Approved] Database Connection Update: Modified the database connection string to use MSI only.
• [ Approved ] Private Endpoints and DNS Zones: Created new private endpoints and private DNS zones for SQL Server and KeyVault.

Testing

• [ Approved] Verified that the new subnets are correctly created and associated with KeyVault and SQL Server.
• [ In-Progress] Confirmed that the database connection using MSI works as expected and resolves the SSL connection issue.
• [ In-Progress] Ensured that the private endpoints and private DNS zones are correctly configured and functional.

[v-ade]

Works as expected.

[v-ade]

Changes work as expected. Approved.

[santhoshb-msft]

Thanks @v-ade , @fthorntonai looking forward to your approval before we merge this

[fthorntonai]

[Approved] Confirmed that the database connection using MSI works as expected and resolves the SSL connection issue.
[Approved] Ensured that the private endpoints and private DNS zones are correctly configured and functional.

[fthorntonai]

Approved

[santhoshb-msft]

Approving based on the feedback.