SQL Databases should only allow ingress traffic from specific IP addresses

azure.security

Description

By default, the “Allow access to Azure Services” setting for SQL Databases is set to “NO”, ensuring that no ingress is allowed from 0.0.0.0/0 (ANY IP). This default setting includes a firewall with a start IP of 0.0.0.0 and an end IP of 0.0.0.0, granting access to all Azure services. Disabling this setting will break all connections to the SQL server and hosted databases unless custom IP-specific rules are added in the Firewall Policy. It is recommended to define more granular IP addresses by referencing the range of addresses available from specific data centers in order to reduce the potential attack surface for the SQL server.

Remediation

From the console

  1. Go to SQL servers
  2. For each SQL server, click on Networking
  3. Uncheck the checkbox for Allow Azure services and resources to access this server
  4. Set firewall rules to limit access to only authorized connections