Unrestricted SQL Server access
This product is not supported for your selected
Datadog site. (
).
Id: 3f23c96c-f9f5-488d-9b17-605b8da5842f
Cloud Provider: Azure
Platform: Ansible
Severity: Critical
Category: Networking and Firewall
Learn More
Description
Allowing large IP ranges in Azure SQL firewall rules broadens the database attack surface and increases the risk of unauthorized access, brute-force attempts, and data exposure. Firewall rules should grant the minimal address range required.
For Ansible tasks using azure_rm_sqlfirewallrule or azure.azcollection.azure_rm_sqlfirewallrule, ensure the start_ip_address and end_ip_address properties are defined and that the numeric difference between them is less than 256 (that is, a single IP or up to 255 addresses). Tasks that omit these properties, set either address to 0.0.0.0, or specify a range with difference >= 256 are flagged as insecure.
Secure configuration example:
- name: Allow single client IP to Azure SQL firewall
azure.azcollection.azure_rm_sqlfirewallrule:
resource_group: my-rg
server_name: my-sql-server
name: allow-client
start_ip_address: 203.0.113.45
end_ip_address: 203.0.113.45
Compliant Code Examples
#this code is a correct code for which the query should not find any result
- name: Create (or update) Firewall Rule
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 172.28.10.136
end_ip_address: 172.28.10.138
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)
- name: Create (or update) Firewall Rule1
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup1
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 0.0.0.0
end_ip_address: 172.28.11.138
- name: Create (or update) Firewall Rule2
azure_rm_sqlfirewallrule:
resource_group: myResourceGroup2
server_name: firewallrulecrudtest-6285
name: firewallrulecrudtest-5370
start_ip_address: 172.28.10.136
end_ip_address: 172.28.11.138
