iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 The Allow access to Azure services setting for PostgreSQL database servers determines whether services within the same Azure environment can access the PostgreSQL server. Disabling this setting limits access to only specific, selected networks, enhancing security by preventing unauthorized access from other Azure services.

Rationale:
 By disabling access to Azure services, the database server is restricted to only those clients that are explicitly allowed to connect. This reduces the risk of unauthorized access or unintended exposure of sensitive data to other services within the same cloud environment.

Impact:

• Pros:
  

  • Reduces the attack surface by limiting access to trusted networks.
    

  • Enhances security by ensuring that only explicitly authorized services can access the database.
    

• Cons:
  

  • Some Azure services that need to communicate with the database might require additional configuration, such as private endpoint connections or Virtual Network (VNet) integration.
    

Default Value:

• By default, Allow access to Azure services is set to Enabled, which allows all Azure services to connect to the PostgreSQL server.
  

Pre-requisites:
 Ensure that appropriate network configurations, such as Virtual Network (VNet) and private endpoints, are set up for services that need to access the PostgreSQL server.

Remediation

Test Plan:

Using Azure Portal:

1. Log in to the Azure Portal: https://portal.azure.com.
   

2. Navigate to Azure Database for PostgreSQL Servers.
   

3. Select the PostgreSQL server.
   

4. Under Settings, click on Connection security.
   

5. Ensure that Allow access to Azure services is set to Disabled.
   

Using Azure CLI:
1.  Run the following command to verify if access to Azure services is disabled:

az postgres server show --resource-group <resource-group-name> --name <server-name> --query "properties.allowAccessToAzureServices"

• The output should show false, indicating that access is disabled.
  
  

Implementation Plan:

Using Azure Portal:

1. Navigate to Azure Database for PostgreSQL Servers.
   

2. Select the PostgreSQL server.
   

3. Under Settings, click on Connection security.
   

4. Set Allow access to Azure services to Disabled and click Save.
   

Using Azure CLI:
 1. To disable access to Azure services, run the following command:

az postgres server update --resource-group <resource-group-name> --name <server-name> --allow-access-to-azure-services false

Backout Plan:

Using Azure Portal:

1. Go to Azure Database for PostgreSQL Servers.
   

2. Under Connection security, set Allow access to Azure services to Enabled if necessary.
   

Using Azure CLI:
 1. To revert the setting and allow access to Azure services, run:

az postgres server update --resource-group <resource-group-name> --name <server-name> --allow-access-to-azure-services true

References:

• Azure PostgreSQL Server Connection Security
  

• How to Secure Your PostgreSQL Database in Azure