Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled

Overview

Disable access from Azure services to PostgreSQL Flexible Server.

Rationale

If access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.

Default Value

The Azure Postgres firewall is set to block all access by default.

Remediation guidance

Remediate from Azure Portal

Open the server using the Open in Azure button
Under Settings, click Networking.
Under Firewall rules, uncheck Allow public access from any Azure service within Azure to this server.
Click Save.

Remediate from Azure CLI

Using the firewall rule name from the Audit from Azure CLI steps, use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for PostgreSQL flexible server:

az postgres flexible-server firewall-rule delete --resource-group <resourceGroup> --name <serverName> --rule-name <ruleName>

Type y and press enter to confirm.

Remediate from PowerShell

Using the firewall rule name from the Audit from PowerShell steps, use the below command to delete the AllowAllAzureServicesAndResourcesWithinAzureIps rule for each PostgreSQL flexible server:

Remove-AzPostgreSqlFlexibleServerFirewallRule -ResourceGroupName <resourceGroup> -ServerName <serverName> -Name <ruleName>

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

'Allow access to Azure services' for PostgreSQL Database Server is disabled

Connectors

Microsoft Azure

Covered asset types

PostgreSQLServer

Expected check: eq []

{postgreSqlServers(where:{firewallRules_SOME:,{OR:[{name_MATCHES:"(?i)allowallwindowsazureips"},{name_MATCHES:"(?i)allowallazureips"},{AND:[{startIPAddress:"0.0.0.0"},{endIPAddress:"0.0.0.0"}]}]}}){...AssetFragment}}

Ensure 'Allow access to Azure services' for PostgreSQL Database Flexible Server is disabled