Description:

Enable connection_throttling on PostgreSQL Servers.


Rationale:

Enabling connection_throttling helps the PostgreSQL Database to Set the verbosity of logged messages. This in turn generates query and error logs with respect to concurrent connections that could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify troubleshoot, and repair configuration errors and sub-optimal performance.


Audit:

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Azure Database for PostgreSQL servers.

3. For each database, click on Server parameters.

4. Search for connection_throttling.

5. Ensure that value is set to ON.


From Azure CLI

Ensure connection_throttling value is set to ON

az postgres server configuration show --resource-group <resourceGroupName> --

server-name <serverName> --name connection_throttling

From PowerShell

Ensure connection_throttling value is set to ON

Get-AzPostgreSqlConfiguration -ResourceGroupName <ResourceGroupName> -

ServerName <ServerName> -Name connection_throttling

Remediation:

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Azure Database for PostgreSQL servers.

3. For each database, click on Server parameters.

4. Search for connection_throttling.

5. Click ON and save.


From Azure CLI

Use the below command to update connection_throttling configuration.

az postgres server configuration set --resource-group <resourceGroupName> --

server-name <serverName> --name connection_throttling --value on

From PowerShell

Use the below command to update connection_throttling configuration.

Update-AzPostgreSqlConfiguration -ResourceGroupName <ResourceGroupName> -

ServerName <ServerName> -Name connection_throttling -Value on

Default Value:

By default, connection_throttling is enabled (set to on).


References:

1. https://docs.microsoft.com/enus/rest/api/postgresql/singleserver/configurations/list-by-server

2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-serverparameters-using-portal

3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-4-enable-logging-for-azure-resources

4. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/getazpostgresqlconfiguration?view=azps-9.2.0#example-2-get-specified-postgresqlconfiguration-by-name

5. https://learn.microsoft.com/en-us/powershell/module/az.postgresql/updateazpostgresqlconfiguration?view=azps-9.2.0#example-1-update-postgresqlconfiguration-by-name