Profile Applicability:
Level 1
Description:
This check ensures that no Azure SQL Databases have firewall rules that allow ingress from 0.0.0.0/0, which represents any IP address. By limiting access to trusted IP addresses or ranges, you prevent unauthorized access and reduce the attack surface for the database.
Rationale:
Allowing access from any IP address (0.0.0.0/0) exposes the SQL database to all networks, including untrusted external sources. Restricting access to trusted networks ensures better security by preventing unauthorized connections and attacks from the public internet.
Impact:
Pros:
Reduces exposure to external threats by limiting the IP addresses that can access the database.
Enhances security by preventing open access to the database from the internet.
Helps in regulatory compliance for secure network configurations.
Cons:
Could disrupt services if not properly configured to allow necessary IPs or services to connect.
Default Value:
By default, SQL servers might have a firewall rule allowing access from all IPs, including 0.0.0.0/0.
Pre-requisites:
Ensure that appropriate network configurations, such as private IPs or Virtual Networks (VNets), are in place for legitimate services and applications that need access.
Remediation
Test Plan:
Using Azure Portal:
Log in to the Azure Portal: https://portal.azure.com.
Navigate to SQL Servers.
Select the SQL Server instance.
Under Networking, ensure that Allow Azure services and resources to access this server is unchecked.
Review all firewall rules for the server, ensuring that no rule allows access from 0.0.0.0/0.
Using Azure CLI:
1. Run the following command to list the firewall rules for the SQL server:
az sql server firewall-rule list --resource-group <resource-group-name> --server <sql-server-name>
Ensure that the output does not contain any rules allowing access from 0.0.0.0/0 or any rule named AllowAllWindowsAzureIps.
Implementation Plan:
Using Azure Portal:
Navigate to SQL Servers.
Select the server and go to Networking.
Uncheck Allow Azure services and resources to access this server.
Review and delete any firewall rule with a start IP of 0.0.0.0.
Using Azure CLI:
1. To disable the default rule allowing access to Azure services, run:
az sql server firewall-rule delete --resource-group <resource-group-name> --server <sql-server-name> --name "AllowAllWindowsAzureIps"
2. To delete any custom rule allowing access from 0.0.0.0/0, run:
az sql server firewall-rule delete --resource-group <resource-group-name> --server <sql-server-name> --name <firewall-rule-name>
Backout Plan:
Using Azure Portal:
Go to SQL Servers.
Under Networking, re-enable Allow Azure services and resources to access this server if necessary.
Using Azure CLI:
1. To re-enable access from Azure services, run
az sql server firewall-rule create --resource-group <resource-group-name> --server <sql-server-name> --name "AllowAllWindowsAzureIps" --start-ip-address "0.0.0.0" --end-ip-address "0.0.0.0"
References: