Profile Applicability:
Level 1
Description:
Disabling Public Network Access ensures that the database or resource is not accessible from public IP addresses. This restricts access to only trusted, selected networks or services and significantly improves the security of your database or resource by preventing unauthorized external access.
Rationale:
Allowing access from the public internet (0.0.0.0/0) increases the attack surface of your database or service, exposing it to various security risks. Disabling public network access limits access to trusted networks, ensuring that sensitive data remains protected. This is a best practice to minimize vulnerabilities and adhere to security compliance standards.
Impact:
Pros:
Reduces the exposure of your database or service to external threats.
Enhances data security by limiting access to only specific, trusted networks.
Helps ensure compliance with various security standards and regulations.
Cons:
Can block legitimate access if other network configurations (like VPNs or private endpoints) are not set up.
Might require changes to network access configurations if additional systems or services need to connect to the resource.
Default Value:
By default, Public Network Access is set to Enabled, meaning the database or resource can be accessed from any IP.
Pre-requisites:
Ensure that the required access configurations (e.g., Virtual Network, Private Endpoint) are properly set up for legitimate access to the resource.
Remediation
Test Plan:
Using Azure Portal:
Log in to Azure Portal: https://portal.azure.com.
Navigate to the resource (e.g., SQL Database, PostgreSQL, etc.) for which you want to disable public access.
Under Settings, click Networking or Connection security (depending on the resource).
Ensure that Allow access to Azure services is set to No.
Review all firewall rules to ensure that no rules are allowing access from 0.0.0.0/0.
Using Azure CLI:
1. Run the following command to list firewall rules for the SQL server:
az sql server firewall-rule list --resource-group <resource-group-name> --server <server-name>
Ensure there are no rules allowing access from 0.0.0.0/0 or any similar open IP range.
Implementation Plan:
Using Azure Portal:
Go to SQL Database or your resource.
Navigate to Networking or Connection security.
Set Allow access to Azure services to No.
Remove or modify any firewall rules that allow access from 0.0.0.0/0.
Save the configuration.
Using Azure CLI:
1. To disable public access, run:
az sql server firewall-rule delete --resource-group <resource-group-name> --server <server-name> --name AllowAllWindowsAzureIps
Backout Plan:
Using Azure Portal:
Navigate to the Networking or Connection security section.
Set Allow access to Azure services back to Yes if public access needs to be re-enabled.
Using Azure CLI:
1. To revert the change and allow access from Azure services, run:
az sql server firewall-rule create --resource-group <resource-group-name> --server <server-name> --name AllowAllWindowsAzureIps --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
References: