iCompaas Support

Profile Applicability:
 Level 1

Description:
 Disabling public network access on Azure resources, such as Storage Accounts, SQL servers, and other data services, restricts access exclusively to private networks and trusted endpoints. This prevents exposure of resources to the public internet, significantly reducing the attack surface and risk of unauthorized access.

Rationale:
 Allowing public network access to critical resources increases the likelihood of external attacks, data breaches, and unauthorized access. By disabling public access, organizations enforce strict network boundaries, ensuring that only traffic from approved virtual networks or private endpoints can reach these resources, thus strengthening security posture.

Impact:

• Pros:
  

  • Limits exposure to public internet and potential attackers.
    

  • Supports compliance with strict regulatory and security policies.
    

  • Encourages use of secure private connectivity options like Azure Private Link.
    

• Cons:
  

  • May require reconfiguration of applications and services to access resources via private networks.
    

  • Could disrupt existing workflows that rely on public endpoints if not planned properly.
    

Default Value:
 Public network access is enabled by default on many Azure services unless explicitly disabled.

Pre-requisites:

• Appropriate Azure role-based access to modify network and resource settings.
  

• Understanding of existing network architecture and dependencies on public access.
  

Remediation

Test Plan:

Using Azure Portal:

1. Log in to https://portal.azure.com.
   

2. Navigate to the resource (e.g., Storage Account, SQL Server).
   

3. Under the Networking or Firewalls and virtual networks section, verify the Public network access setting.
   

4. Confirm that public network access is set to Disabled or Selected networks only (with no public access allowed).
   

Using Azure CLI:

1. For a Storage Account, run:

az storage account show --name <storage-account-name> --resource-group <resource-group> --query "networkRuleSet.defaultAction"

2. Ensure it returns Deny indicating public access is disabled.

3. For Azure SQL Server, run:

az sql server show --name <server-name> --resource-group <resource-group> --query publicNetworkAccess

4. Ensure the value is Disabled.

Implementation Plan

Using Azure Portal:

1. Navigate to the resource’s Networking settings.
   

2. Set Public network access to Disabled or restrict it to specific virtual networks only.
   

3. Save the configuration.
   

4. Validate that the resource is no longer accessible via public IP or endpoint.
   

Using Azure CLI:

1. Disable public network access for a Storage Account:

az storage account update --name <storage-account-name> --resource-group <resource-group> --default-action Deny

2. Disable public network access for Azure SQL Server:

az sql server update --name <server-name> --resource-group <resource-group> --public-network-access Disable

Backout Plan

Using Azure Portal:

1. Re-enable public network access by reverting the setting to Enabled or All networks.
   

2. Communicate changes to affected teams and monitor connectivity.
   

Using Azure CLI:

1. Enable public network access for Storage Account:

az storage account update --name <storage-account-name> --resource-group <resource-group> --default-action Allow

2. Enable public network access for Azure SQL Server:

az sql server update --name <server-name> --resource-group <resource-group> --public-network-access Enabled

References:

• Azure Storage Account Network Access Control
  

• Control Public Network Access to Azure SQL Server