Virtual Network security groups attached to SQL Server instances should not permit ingress from to all ports and protocols


To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.

Remediation Steps

Azure Portal

  • Navigate to Virtual Machines and select the VM that has the problem.

  • In the left navigation, select Networking.

  • Select the Inbound port rules tab and delete any inbound rules that permit ingress from ‘’ to all ports and protocols.

Azure CLI

  • Remove the rule(s) that permit ingress from ‘’ to to all ports and protocols:

  az network nsg rule delete [--ids]


  • Ensure that every azurerm_sql_firewall_rule does NOT contain any of the following:

    • start_ip_address = “”

    • end_ip_address = “” or “”

Example Configuration

resource "azurerm_sql_firewall_rule" "example" {
  start_ip_address = ""
  end_ip_address = ""
  # other required fields here