Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)

MEDIUM

Description

Description:

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Rationale:

Azure SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.

By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all the Azure services.

Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet.

In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters.

Disabling 'Allow Azure services and resources to access this server' will break all connections to SQL server and Hosted Databases unless custom IP specific rules are added in Firewall Policy.

Remediation

From Azure Portal

  1. Go to 'SQL servers'
  2. For each SQL server
  3. Click on 'Firewall and virtual networks'
  4. Set 'Allow Azure services and resources to access this server' to 'No'
  5. Set firewall rules to limit access to only authorized connections

From Azure CLI

Disable default firewall rule 'Allow access to Azure services':

az sql server firewall-rule delete --resource-group --server --name "AllowAllWindowsAzureIps"

Remove a custom firewall rule:

az sql server firewall-rule delete --resource-group --server --name

Create a firewall rule:

az sql server firewall-rule create --resource-group --server --name --start-ip-address "<IP Address other than 0.0.0.0>" --end-ip-address "<IP Address other than 0.0.0.0 or 255.255.255.255>"

Update a firewall rule:

az sql server firewall-rule update --resource-group --server --name --start-ip-address "<IP Address other than 0.0.0.0>" --end-ip-address "<IP Address other than 0.0.0.0 or 255.255.255.255>"

From PowerShell

Disable Default Firewall Rule 'Allow access to Azure services' :

Remove-AzSqlServerFirewallRule -FirewallRuleName "AllowAllWindowsAzureIps" -ResourceGroupName -ServerName

Remove a custom Firewall rule:

Remove-AzSqlServerFirewallRule -FirewallRuleName "" -ResourceGroupName -ServerName

Set the appropriate firewall rules:

Set-AzSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName "" -StartIpAddress "<IP Address other than 0.0.0.0>" -EndIpAddress "<IP Address other than 0.0.0.0 or 255.255.255.255>"