Currently the Azure roles use ConfigurationSettings to hold the production connection string info. Currently, a debug setting is set in the .cscfg file and once uploaded to the server, someone must manually replace that setting with the production string. This is problematic as a new copy of the Azure instance is published, the connection string will be reset to whatever is in the .cscfg file.
I recommend we take the database connection string out of the .cscfg file and put the production string into the Web.config files. Parts of those files can be encrypted and we should encrypt the production string using the PKCS12ProtectedConfigurationProvider from MS, which I requested they open source. Additionally, we should have a default debug value that allows developers to do development.