Ensure 'Allow access to Azure services' for PostgreSQL Flexible Server is disabled

Disable access from Azure services to PostgreSQL Flexible Server

Risk Level: Low
Cloud Entity: PostgreSQL Flexible Server
CloudGuard Rule ID: D9.AZU.CRY.48
Covered by Spectral: Yes
Category: Database


PostgreSQLFlexibleServer should not have firewallRules contain [ name regexMatch /AllowAllAzureServicesAndResourcesWithinAzureIps/ ]


From Portal

  1. Login to Azure Portal using https://portal.azure.com.
  2. Go to Azure Database for PostgreSQL Flexible server.
  3. For each database, click on Networking.
  4. Below Firewall rules,Ensure 'Allow public access from any Azure service within Azure to this server' is set to OFF.
  5. Click Save.

From TF
Please check the 'start_ip_address' and 'end_ip_address' should not be set to under 'azurerm_postgresql_flexible_server_firewall_rule' :

resource "azurerm_postgresql_flexible_server_firewall_rule" "example" {
	start_ip_address    = "STARTIP"
	end_ip_address      = "ENDIP"

From Command Line
Use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL Flexible Server.

az postgres flexible-server firewall-rule delete --name SERVERNAME --rule-name AllowAllAzureServicesAndResourcesWithinAzureIps --resource-group RESOURCEGROUPNAME


  1. https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking
  2. https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-manage-firewall-cli
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_firewall_rule

PostgreSQL Flexible Server

Azure Database for PostgreSQL - Flexible Server is a fully managed PostgreSQL database as a service offering that can handle mission-critical workloads with predictable performance and dynamic scalability

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset