SQL Databases should only allow ingress traffic from specific IP addresses

azure.security
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

By default, the “Allow access to Azure Services” setting for SQL Databases is set to “NO”, ensuring that no ingress is allowed from 0.0.0.0/0 (ANY IP). This default setting includes a firewall with a start IP of 0.0.0.0 and an end IP of 0.0.0.0, granting access to all Azure services. Disabling this setting will break all connections to the SQL server and hosted databases unless custom IP-specific rules are added in the Firewall Policy. It is recommended to define more granular IP addresses by referencing the range of addresses available from specific data centers in order to reduce the potential attack surface for the SQL server.

Remediation

From the console

  1. Go to SQL servers
  2. For each SQL server, click on Networking
  3. Uncheck the checkbox for Allow Azure services and resources to access this server
  4. Set firewall rules to limit access to only authorized connections