Unrestricted SQL Server access

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 3f23c96c-f9f5-488d-9b17-605b8da5842f

Cloud Provider: Azure

Platform: Ansible

Severity: Critical

Category: Networking and Firewall

Learn More

Description

Allowing large IP ranges in Azure SQL firewall rules broadens the database attack surface and increases the risk of unauthorized access, brute-force attempts, and data exposure. Firewall rules should grant the minimal address range required.

For Ansible tasks using azure_rm_sqlfirewallrule or azure.azcollection.azure_rm_sqlfirewallrule, ensure the start_ip_address and end_ip_address properties are defined and that the numeric difference between them is less than 256 (that is, a single IP or up to 255 addresses). Tasks that omit these properties, set either address to 0.0.0.0, or specify a range with difference >= 256 are flagged as insecure.

Secure configuration example:

- name: Allow single client IP to Azure SQL firewall
  azure.azcollection.azure_rm_sqlfirewallrule:
    resource_group: my-rg
    server_name: my-sql-server
    name: allow-client
    start_ip_address: 203.0.113.45
    end_ip_address: 203.0.113.45

Compliant Code Examples

#this code is a correct code for which the query should not find any result
- name: Create (or update) Firewall Rule
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.10.138

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
- name: Create (or update) Firewall Rule1
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup1
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 0.0.0.0
    end_ip_address: 172.28.11.138
- name: Create (or update) Firewall Rule2
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup2
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.11.138