Ensure SQL databases do not allow ingress from 0.0.0.0/0

Error: SQL databases allow ingress from 0.0.0.0/0

Bridgecrew Policy ID: BC_AZR_NETWORKING_4
Checkov Check ID: CKV_AZURE_11
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

SQL databases allow ingress from 0.0.0.0/0

Description

SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.
The SQL server default Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0, allowing access to all Azure services. A custom rule can be set with StartIp of 0.0.0.0 and EndIP of 255.255.255.255, allowing access from any IP over the Internet. To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses. This is achieved by referencing the range of addresses available from specific datacenters.

We recommend SQL Databases do not allow ingress from 0.0.0.0/0, that is, any IP.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to SQL servers.
  3. For each SQL server:
    a) Click Firewall / Virtual Networks.
    b) Set Allow access to Azure services to OFF.
    c) Set firewall rules to limit access to authorized connections.

CLI Command

To disable default Firewall rule Allow access to Azure services, use the following commands:
Remove-AzureRmSqlServerFirewallRule -FirewallRuleName

"AllowAllWindowsAzureIps" 
-ResourceGroupName <resource group name> 
-ServerName <server name>

To remove a custom Firewall rule, use the following command:

Remove-AzureRmSqlServerFirewallRule 
-FirewallRuleName "<firewallRuleName>" 
-ResourceGroupName <resource group name> 
-ServerName <server name>

To set the appropriate firewall rules, use the following command:

Set-AzureRmSqlServerFirewallRule 
-ResourceGroupName <resource group name> 
-ServerName <server name> 
-FirewallRuleName "<Fw rule Name>" 
-StartIpAddress "<IP Address other than 0.0.0.0>" 
-EndIpAddress "<IP Address other than0.0.0.0 or 255.255.255.255>"

Fix - Buildtime

Terraform

  • Resources:
    azurerm_mariadb_firewall_rule
    azurerm_sql_firewall_rule
    azurerm_postgresql_firewall_rule
    azurerm_mysql_firewall_rule
  • Argument: start_ip_address
resource "azurerm_mysql_firewall_rule" "example" {
    ...
-   start_ip_address    = "0.0.0.0"
-   end_ip_address      = "255.255.255.255"
}