Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols¶
Description¶
To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.
Remediation Steps¶
Azure Portal¶
Navigate to Virtual Machines and select the VM that has the problem.
In the left navigation, select Networking.
Select the Inbound port rules tab and delete any inbound rules that permit ingress from ‘0.0.0.0/0’ to all ports and protocols.
Azure CLI¶
Remove the rule(s) that permit ingress from ‘0.0.0.0/0’ to to all ports and protocols:
{
az network nsg rule delete [--ids]
[--name]
[--nsg-name]
[--resource-group]
[--subscription]
}
Terraform¶
Ensure that every azurerm_sql_firewall_rule does NOT contain any of the following:
start_ip_address
= “0.0.0.0”end_ip_address
= “0.0.0.0” or “255.255.255.255”
Example Configuration¶
resource "azurerm_sql_firewall_rule" "example" {
start_ip_address = "1.1.1.1"
end_ip_address = "2.2.2.2"
# other required fields here
}