SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0

Description

SQL server firewall rules should not permit start and end IP addresses to be 0.0.0.0. Adding a rule with range 0.0.0.0 to 0.0.0.0 is the same as enabling the “Allow access to Azure services” setting, which allows all connections from Azure, including from other subscriptions. Disabling this setting helps prevent malicious Azure users from connecting to your database and accessing sensitive data.

Remediation Steps

Azure Portal

Disable the “Allow access to Azure services” setting:

• Navigate to SQL Servers and select your server

• Select Firewalls and Virtual Networks

• Set the “Allow access to Azure services” control to OFF

To allow specific Azure services to connect to the SQL server, consider setting up a virtual network service endpoint and rules.

Azure CLI

• List all firewall rules for a SQL server:

  • az sql server firewall-rule list -g <your-resource-group> -s <your-sql-server>

• Look for rules with a start and end IP address of 0.0.0.0 and copy the rule ID.

• Delete the rule:

  • az sql server firewall-rule delete --ids <your-firewall-rule-id>

To allow specific Azure services to connect to the SQL server, consider setting up a virtual network service endpoint and rules.

Terraform

• Ensure that an azurerm_sql_firewall_rule does NOT contain the following:

  • start_ip_address = “0.0.0.0”

  • end_ip_address = “0.0.0.0”

Example Configuration

resource "azurerm_sql_firewall_rule" "example" {
  start_ip_address = "1.1.1.1"
  end_ip_address = "2.2.2.2"

  # other required fields here
}

Documentation Links

Azure Portal and CLI

• CLI: Azure CLI documentation

• Connections from inside Azure

• Server-level versus database-level IP firewall rules

• Use virtual network service endpoints and rules for database servers

• Virtual Network Service Endpoints

Terraform

• Resource: azurerm_sql_firewall_rule

  • Field: start_ip_address

  • Field: end_ip_address