SQL databases allow ingress from 0.0.0.0/0

sql_server_no_public_access

Severity

critical

Vendor

Azure

Resource

MSSQL Server

Description

SQL databases allow ingress from 0.0.0.0/0.

SQL Server includes a Firewall to block access to unauthorized connections and, by default, it just allows the IP 0.0.0.0, allowing access exclusively from all the Azure services.

You may configure a custom rule and set an IP range with StartIp of 0.0.0.0 and EndIP of 255.255.255.255 allowing access from ANY IP over the Internet. That insecure IP range configuration would be harmful for your services since it maximizes the potential attack surface for a SQL server.

It’s crucial to define firewall rules with more granular IP addresses by referencing the range of addresses available from specific datacenters.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "server",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-04-01",
      "location": "[parameters('location')]",
      "resources": [
        {
          "name": "bad", (1)
          "type": "firewallrules",
          "apiVersion": "2021-04-01",
          "location": "[parameters('location')]",
          "properties": {
            "endIpAddress": "255.255.255.255",
            "startIpAddress": "0.0.0.0"
          }
        }
      ]
    }
  ]
}

1	is a SQL Server with an overly permissive firewall rule.

Terraform

resource "azurerm_sql_firewall_rule" "good" {
  name                = "db_restricted_by_ip"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "0.0.0.0" (1)
  end_ip_address      = "255.255.255.255"
}

1	is a SQL Server with an overly permissive firewall rule.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "name": "server",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-04-01",
      "location": "[parameters('location')]",
      "resources": [
        {
          "name": "good", (1)
          "type": "firewallrules",
          "apiVersion": "2021-04-01",
          "location": "[parameters('location')]",
          "properties": {
            "endIpAddress": "0.0.0.0",
            "startIpAddress": "0.0.0.0"
          }
        }
      ]
    }
  ]
}

1	is a SQL Server with a restrictive firewall rule.

Terraform

resource "azurerm_sql_firewall_rule" "good" {
  name                = "db_restricted_by_ip"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "192.168.10.2" (1)
  end_ip_address      = "192.168.10.16"
}

1	Fixed, internal IP range only

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

Navigate to SQL servers, and for each of them:
- Click Firewall / Virtual Networks.
- Set Allow access to Azure services to OFF.
- Set firewall rules to limit access to authorized connections.

CLI Command

To disable default Firewall rule Allow access to Azure services, use the following commands:

$ Remove-AzSqlServerFirewallRule -FirewallRuleName <rule name> -ResourceGroupName <resource group name> -ServerName <server name>

See Delete a firewall rule from a SQL Database server.

To remove a custom Firewall rule, use the following command:

$ Remove-AzureRmSqlServerFirewallRule -FirewallRuleName "<firewallRuleName>" -ResourceGroupName <resource group name> -ServerName <server name>

See Delete a firewall rule from a SQL Database server.

To set custom firewall rules, use the following command:

$ Set-AzureRmSqlServerFirewallRule-ResourceGroupName <resource group name> -ServerName <server name> -FirewallRuleName "<firewall rule name>" -StartIpAddress "<start IP address>" -EndIpAddress "<end IP address>"

See Set a firewall rule.