Microsoft SQL Server Anonymization - From 2017 to Azure SQL
Anonyx connects to your Microsoft SQL Server and Azure SQL instances and produces anonymized copies for non-production environments. FOREIGN KEY constraints, indexed views, DML triggers, stored procedures and advanced T-SQL types (XML, GEOGRAPHY, HIERARCHYID, ROWVERSION) are handled natively.
- SQL Server 2017, 2019, 2022 (all editions), Azure SQL Database and Managed Instance
- SQL, Windows and Azure AD (Entra ID) authentication supported
- Preservation of FOREIGN KEY, CHECK, DEFAULT and UNIQUE constraints
- Advanced T-SQL types: XML, GEOGRAPHY, GEOMETRY, HIERARCHYID, ROWVERSION, UNIQUEIDENTIFIER
- Deterministic anonymization to preserve inter-table joins
- EU sovereign hosting, GDPR compliance built-in
Connection via native Tedious driver
Anonyx uses tedious, the native Node.js driver for SQL Server, with no ODBC or OLE DB dependency. You provide SQL credentials or an Azure AD token. For deployments behind a firewall, the Business plan offers an automated SSH tunnel or Azure Private Link for Azure SQL databases.
The service account requires SELECT on the source (ideally read-only via a dedicated user and a masking schema on the SQL side for the most sensitive columns) and INSERT, UPDATE, DELETE, CREATE TABLE on the target. Always On Availability Groups are supported by pointing to the listener.
Advanced T-SQL types
XML columns can be anonymized via XPath expressions. The T-SQL modify() function is used to replace targeted subelements while preserving the document structure. Spatial types GEOGRAPHY and GEOMETRY benefit from the same geographic transformations as PostGIS: radius-based fuzzing, grouping into administrative cells, or replacement with administrative centers.
HIERARCHYID columns (materialized tree structure) are preserved by default - their structure does not contain PII. If you want to break correlation between hierarchical paths (e.g. anonymizing an org chart), Anonyx can randomize paths while preserving depth and degree.
DML triggers and constraints
During target writes, active DML triggers can be temporarily disabled (DISABLE TRIGGER ALL ON [table]) and then reactivated - the default behavior to avoid costly side effects. FOREIGN KEY constraints can also be disabled (NOCHECK CONSTRAINT) if you guarantee integrity through insertion order, which can cut anonymization time in half on heavily constrained schemas.
Azure SQL and managed services
For Azure SQL Database, Anonyx automatically adapts write throughput to the DTUs / vCores of the tier (Basic, Standard, Premium, Business Critical). Hyperscale tiers and Elastic Pools are supported. Azure AD (Entra ID) authentication via service principal or managed identity is recommended to avoid storing SQL passwords.
For SQL Managed Instance, coverage is identical to on-premise SQL Server, including advanced features (linked servers, SQL Agent jobs, Service Broker - preserved but never executed during writes).