PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0¶
Description¶
PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0. Adding a rule with range 0.0.0.0 to 0.0.0.0 is the same as enabling the “Allow access to Azure services” setting, which allows all connections from Azure, including from other subscriptions. Disabling this setting helps prevent malicious Azure users from connecting to your database and accessing sensitive data.
Remediation Steps¶
Azure Portal¶
Disable the “Allow access to Azure services” setting:
Navigate to Azure Database for PostgreSQL Servers and select your server
Select Connection Security
Set the “Allow access to Azure services” control to
OFF
To allow specific Azure services to connect to the PostgreSQL Database server, consider setting up a virtual network service endpoint and rules.
Azure CLI¶
List all firewall rules for a PostgreSQL Database server:
az postgres server firewall-rule list --resource-group <your-resource-group> --server-name <your-server-name>
Look for rules with a start and end IP address of 0.0.0.0 and copy the rule ID.
Delete the rule:
az postgres server firewall-rule delete --resource-group <your-resource-group> --server-name <your-server-name> --name <your-firewall-name>
To allow specific Azure services to connect to the PostgreSQL Database server, consider setting up a virtual network service endpoint and rules.
Azure Resource Manager¶
Ensure that a Microsoft.DBforPostgreSQL/servers/firewallRules resource does NOT contain the following:
{
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
}
Example Configuration¶
{
"type": "Microsoft.DBforPostgreSQL/servers/firewallRules",
"apiVersion": "2017-12-01",
"name": "TestRule",
"properties": {
"startIpAddress": "10.0.0.0",
"endIpAddress": "10.0.255.0"
}
}
Terraform¶
Ensure that an azurerm_postgresql_firewall_rule resource does NOT contain the following:
start_ip_address
= “0.0.0.0”end_ip_address
= “0.0.0.0”
Example Configuration¶
resource "azurerm_postgresql_firewall_rule" "example" {
start_ip_address = "1.1.1.1"
end_ip_address = "2.2.2.2"
# other required fields here
}