Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols

Description

To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.

Remediation Steps

Azure Portal

• Navigate to Virtual Machines and select the VM that has the problem.

• In the left navigation, select Networking.

• Select the Inbound port rules tab and delete any inbound rules that permit ingress from ‘0.0.0.0/0’ to all ports and protocols.

Azure CLI

• Remove the rule(s) that permit ingress from ‘0.0.0.0/0’ to to all ports and protocols:

{
  az network nsg rule delete [--ids]
                         [--name]
                         [--nsg-name]
                         [--resource-group]
                         [--subscription]
}

Terraform

• Ensure that every azurerm_sql_firewall_rule does NOT contain any of the following:

  • start_ip_address = “0.0.0.0”

  • end_ip_address = “0.0.0.0” or “255.255.255.255”

Example Configuration

resource "azurerm_sql_firewall_rule" "example" {
  start_ip_address = "1.1.1.1"
  end_ip_address = "2.2.2.2"
  # other required fields here
}

Documentation Links

Console and CLI

• Security Groups

• CLI: Delete a Security Group Rule via the CLI

Terraform

• Resource: azurerm_sql_firewall_rule

  • Field: start_ip_address

  • Field: end_ip_address