---
title: Unrestricted SQL Server access
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Unrestricted SQL Server access
---

# Unrestricted SQL Server access

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `3f23c96c-f9f5-488d-9b17-605b8da5842f`

**Cloud Provider:** Azure

**Platform:** Ansible

**Severity:** Critical

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html)

### Description{% #description %}

Allowing large IP ranges in Azure SQL firewall rules broadens the database attack surface and increases the risk of unauthorized access, brute-force attempts, and data exposure. Firewall rules should grant the minimal address range required.

For Ansible tasks using `azure_rm_sqlfirewallrule` or `azure.azcollection.azure_rm_sqlfirewallrule`, ensure the `start_ip_address` and `end_ip_address` properties are defined and that the numeric difference between them is less than 256 (that is, a single IP or up to 255 addresses). Tasks that omit these properties, set either address to `0.0.0.0`, or specify a range with difference >= 256 are flagged as insecure.

Secure configuration example:

```yaml
- name: Allow single client IP to Azure SQL firewall
  azure.azcollection.azure_rm_sqlfirewallrule:
    resource_group: my-rg
    server_name: my-sql-server
    name: allow-client
    start_ip_address: 203.0.113.45
    end_ip_address: 203.0.113.45
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: Create (or update) Firewall Rule
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.10.138
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: Create (or update) Firewall Rule1
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup1
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 0.0.0.0
    end_ip_address: 172.28.11.138
- name: Create (or update) Firewall Rule2
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup2
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.11.138
```