Restrict Azure SQL Server accessibility to a minimal address range

It is recommended to limit the source IP ranges that are allowed to access the SQL Server, to the minimum necessary.

Risk Level: High
Cloud Entity: SQL Server on Virtual Machines
CloudGuard Rule ID: D9.AZU.NET.03
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SQLServer should not have firewallRules contain-any [ numberOfAddressesInRange > 256]

REMEDIATION

From Portal

  1. Login into the Azure portal.
  2. Go to SQL Servers.
  3. For each SQL Server , select Firewalls and virtual networks.
  4. Add rules for IP address range that needs access to databases. Start and End IP address should not be 0.0.0.0.

NOTE : By default, no Rules are created.

From TF
Set the 'start_ip_address' and 'end_ip_address' under 'azurerm_mssql_firewall_rule' as below:

resource "azurerm_mssql_firewall_rule" "example" {
	...
	start_ip_address = "START_IP"
	end_ip_address = "END_IP"
	...
}

From Command Line
Use the below command to create firewall rule
Run

az sql server firewall-rule create --resource-group MYRESOURCEGROUP --server SERVER --name NAME_OF_FIREWALL_RULE --start-ip-address START_IP --end-ip-address END_IP

References

  1. https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule
  3. https://learn.microsoft.com/en-us/cli/azure/sql/server/firewall-rule?view=azure-cli-latest#az-sql-server-firewall-rule-create-examples

SQL Server on Virtual Machines

SQL Server on Azure virtual machines enables you to use full versions of SQL Server in the Cloud without having to manage any on-premises hardware. SQL Server VMs also simplify licensing costs when you pay as you go.

Azure virtual machines run in many different geographic regions around the world. They also offer a variety of machine sizes. The virtual machine image gallery allows you to create a SQL Server VM with the right version, edition, and operating system. This makes virtual machines a good option for a many different SQL Server workloads.

Compliance Frameworks

  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard Network Security Alerts
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • CloudGuard Azure All Rules Ruleset