Ensure Azure Synapse workspaces have no IP firewall rules attached

Error: Azure Synapse workspaces have IP firewall rules attached

Bridgecrew Policy ID: BC_AZR_NETWORKING_27
Checkov Check ID: CKV2_AZURE_19
Severity: LOW

Azure Synapse workspaces have IP firewall rules attached

Description

IP firewall rules in Azure Synapse are used to control inbound and outbound network traffic to and from your workspace. By attaching IP firewall rules to your workspace, you can control which IP addresses or ranges have access to your workspace and what actions they can perform.

However, attaching IP firewall rules to your workspace can also introduce potential security risks because it allows you to specify specific IP addresses or ranges that have access to your workspace. If an attacker is able to determine the IP address of your workspace, they could potentially gain access to it if the IP address is included in the firewall rules.

Fix - Buildtime

Terraform

  • Resource: azurerm_synapse_firewall_rule, azurerm_resource_group, azurerm_synapse_workspace
  • Argument: synapse_workspace_id (of azurerm_synapse_firewall_rule )
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_synapse_workspace" "workspace_good" {
  name                                 = "example"
  sql_administrator_login              = "sqladminuser"
  sql_administrator_login_password     = "H@Sh1CoR3!"
  managed_virtual_network_enabled      = true
  tags = {
    Env = "production"
  }
}


resource "azurerm_synapse_firewall_rule" "firewall_rule" {
  name                 = "AllowAll"
  synapse_workspace_id = azurerm_synapse_workspace.workspace_bad.id
  start_ip_address     = "0.0.0.0"
  end_ip_address       = "255.255.255.255"
}