--- title: SQLServer ingress from any IP description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQLServer ingress from any IP --- # SQLServer ingress from any IP {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-azure-sql-server-ingress-from-any-ip` **Provider:** Azure **Platform:** Ansible **Severity:** Critical **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html) ### Description{% #description %} Allowing an Azure SQL firewall rule to accept connections from the entire internet (`start_ip_address` set to `0.0.0.0` and `end_ip_address` set to `255.255.255.255`) exposes database servers to unauthorized access and credential brute-force attacks. This rule checks Ansible resources using the `azure.azcollection.azure_rm_sqlfirewallrule` (or `azure_rm_sqlfirewallrule`) module. Resources with `start_ip_address` set to `0.0.0.0` and `end_ip_address` set to `255.255.255.255` are flagged. Restrict firewall rules to specific client IPs or CIDR ranges, or use virtual network-based rules to limit access. Secure example with a single allowed IP: ```yaml - name: Add SQL firewall rule for a specific IP azure.azcollection.azure_rm_sqlfirewallrule: resource_group: myResourceGroup server_name: my-sql-server name: allow-office-ip start_ip_address: 203.0.113.5 end_ip_address: 203.0.113.5 state: present ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: Create (or update) Firewall Rule azure.azcollection.azure_rm_sqlfirewallrule: resource_group: myResourceGroup server_name: firewallrulecrudtest-6285 name: firewallrulecrudtest-5370 start_ip_address: 172.28.10.136 end_ip_address: 172.28.10.138 - name: Create (or update) Firewall Rule2 azure.azcollection.azure_rm_sqlfirewallrule: resource_group: myResourceGroup server_name: firewallrulecrudtest-6285 name: firewallrulecrudtest-5370 start_ip_address: 0.0.0.0 end_ip_address: 0.0.0.3 - name: Create (or update) Firewall Rule3 azure.azcollection.azure_rm_sqlfirewallrule: resource_group: myResourceGroup server_name: firewallrulecrudtest-6285 name: firewallrulecrudtest-5370 start_ip_address: 255.255.255.250 end_ip_address: 255.255.255.255 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml --- - name: Create (or update) Firewall Rule azure.azcollection.azure_rm_sqlfirewallrule: resource_group: myResourceGroup server_name: firewallrulecrudtest-6285 name: firewallrulecrudtest-5370 start_ip_address: 0.0.0.0 end_ip_address: 255.255.255.255 ```