Restrict Azure SQL Server accessibility to a minimal address range
It is recommended to limit the source IP ranges that are allowed to access the SQL Server, to the minimum necessary.
Risk Level: High
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.NET.03
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
SQLServer should not have firewallRules contain-any [ numberOfAddressesInRange > 256]
REMEDIATION
From Portal
- Login into the Azure portal.
- Go to SQL Servers.
- For each SQL Server , select Firewalls and virtual networks.
- Add rules for IP address range that needs access to databases. Start and End IP address should not be 0.0.0.0.
NOTE : By default, no Rules are created.
From TF
Set the 'start_ip_address' and 'end_ip_address' under 'azurerm_mssql_firewall_rule' as below:
resource "azurerm_mssql_firewall_rule" "example" {
...
start_ip_address = "START_IP"
end_ip_address = "END_IP"
...
}
From Command Line
Use the below command to create firewall rule
Run
az sql server firewall-rule create --resource-group MYRESOURCEGROUP --server SERVER --name NAME_OF_FIREWALL_RULE --start-ip-address START_IP --end-ip-address END_IP
References
- https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule
- https://learn.microsoft.com/en-us/cli/azure/sql/server/firewall-rule?view=azure-cli-latest#az-sql-server-firewall-rule-create-examples
SQL Server on Virtual Machines
SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.
Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.
Compliance Frameworks
- Azure CSA CCM v.3.0.1
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- Azure CloudGuard Network Security Alerts
- Azure CloudGuard SOC2 based on AICPA TSC 2017
- Azure HIPAA
- Azure HITRUST v9.5.0
- Azure ISO 27001:2013
- Azure LGPD regulation
- Azure NIST 800-171
- Azure NIST 800-53 Rev 4
- Azure NIST 800-53 Rev 5
- Azure NIST CSF v1.1
- Azure New Zealand Information Security Manual (NZISM) v.3.4
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago