HIGH
Source
CloudSploit
ID
sql-server-public-access

SQL Server Public Access

Ensures that SQL Servers do not allow public access

Unless there is a specific business requirement, SQL Server instances should not have a public endpoint and should only be accessed from within a VNET.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log in to the Microsoft Azure Management Console.

  2. Select the “Search resources, services, and docs” option at the top and search for SQL servers. Step

  3. On the “SQL server” page, select the SQL server that needs to be examined. Step

  4. On the selected “SQL server” page, scroll down the left navigation panel and select “Networking” under the “Security”.Step

  5. On the “Networking” page, under “Exceptions” if “Allow Azure services and resources to access this server” is “ON” then the selected “SQL server” allows public access.Step

  6. To disable public access, uncheck “Allow Azure services and resources to access this server” and click “save” button.Step

  7. Under “Firewall Rules” if you see an entry for IP address “0.0.0.0” then traffic from global public IPs is allowed. Step

  8. To disable traffic from global public IPs, remove the firewall rule with IP address “0.0.0.0”. To delete it, click on the triple dot (…) at the end and select “Delete” from the dropdown menu.Step

  9. Click on the “Save” button to make the changes.Step

  10. Repeat steps number 3 - 9 to ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address.