Internet traffic between Linode and Azure
I have an Ubuntu 20.04 Linode which connect to an Azure SQL Database via ODBC.
I wonder how secure the data traffic between the Linode and Azure datacenter is.
Is it possible for anyone to capture internet traffic between Linode and Azure?
4 Replies
It’s always best to assume any traffic on the internet can be captured and will be rather than assess the likelihood.
If you’re asking the question then you need to make sure you protect it!
There are lots of simple solutions which all offer their own advantages. A VPN is the most flexible, while something like stunnel is fast and drop in for a connection to a fixed port or handful of ports.
There’s lots of other solutions too - if you’re going to protect the traffic you may as well protect it all - what else do you have going between them?
@create55 --
The only secure traffic is the traffic where YOU control the transmission to/from BOTH endpoints and can implement security policies that engender your trust. Any other situation…even if you "trust" one or the other endpoints…should be considered insecure.
You write:
Is it possible for anyone to capture internet traffic between Linode and Azure?
Sure. Ever hear of a packet sniffer?
https://en.wikipedia.org/wiki/Packet_analyzer
These have lots of legitimate uses. They also have just as many illegitimate ones. The fact that packets can be filtered/captured is really irrelevant. The fact that you need to prevent deciphering and injection of traffic by a "man in the middle" is what's important.
I wrote a packet-filter/-capture engine for one of these back in the days before switched network fabrics. The instrument was part of HP's protocol analyzer product line.
-- sw
@hey, thanks for the answer.
The only traffic between my Linode and Azure are the database queries from PHP via ODBC driver for SQL Server link
What if I open the Azure SQL server to only allow traffic from the Linode's fixed IP-address?
I realize that I can use an Ubuntu Virtual Machine on Azure and have the traffic between the server and the database on an Azure Private endpoint, but I would rather use a Linode if possible because of simpler setup and the pricing model.
@create55 --
You write:
What if I open the Azure SQL server to only allow traffic from the Linode's fixed IP-address?
This is not going to stop some 3rd party between the two endpoints from intercepting/injecting traffic.
Remember that internet traffic is packet-switched and TCP only gives you the illusion of a continuous stream. In reality, packets in a TCP stream (like ODBC) may each take very different (and circuitous) routes to get from one endpoint to the other. Any system in any route can sniff/decode/modify any packet in the stream.
Encryption makes that extremely difficult to do but a determined bad actor with enough time and resources is going to be able to do it if the end result is valuable enough to him.
That being said, I'm sure that an Azure VM will support ODBC over TLS but you (or whoever runs the Azure VM) will have to set it up. The Linode certainly will because you'll have to set it up. Use it. There isn't any other way to solve your problem.
If the Azure VM admin balks, then you have a different problem.
-- sw