Datasnap (TCP) on Azure VM with publicly Open Port


I need to have a datasnap server running on a simple Azure VM (B1s) machine with a static public IP address. The database is Azure SQL in a US datacenter. The VM is proximate to the user.

The database and the VM are not in the company LAN. Neither have any access to the company network. Neither have any user credentials. No data is saved on the VM.
All data transferred is encrypted and compressed.

As this is a secondary project I don’t have time to develop and get the required certificates for HTTPS connection. Also, I have seen that TCP connection is ~30% faster than HTTP due to smaller payload.
Performance is essential.

Watching some of the “TCoffeeAndCode” episodes I have heard that leaving a port open on a publicly accessible VM is dangerous and a “No No”. On the other hand others say an open port does not immediately mean a security issue. It depends on the service using the port. I also know others have successfully used datasnap in this way.

My security assertions thus far are:

  • there is no access to any network assets
  • datasnap stream is binary and encrypted
  • the application only has has access to database stored procedures

However, another vendor implementing and managing the azure assets (sql database and VMs) has already indicated it might have security issues with this configuration.

I was wondering if anyone has had experience in this field and wanted to share some thoughts.

Thank you

Hello Fabio,

I am running a DataSnap server with PC1 encryption on a Windows Server 2021 R2 using the binary format & TCP transport.

How does that differ from a web server on an open port 80 or 8080?

I’d say the transport layer is protected by OpenSSL and the “esoteric format” of DataSnap makes a potential attack a lot of work for relatively little gain. If you know where your client-side requests are coming from you might be able to restrict the open port to a small list of IP addresses or a DNS record A entry for those out in the field.


Thank you Mathias

A list of IP addresses is not possible and would continually change due to work from home or site etc.
However, I believe it is possible to designate the country code for the port and restrict others.

It sounds to me that as long as what is listening to the port is well protected by encryption, etc then there should not be any security risk.

Thanks again