Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Overview

Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Rationale

Azure SQL Server includes a firewall to block access to unauthorized connections. The range of IP addresses available from specific data centers can be used to define more granular IP addresses.

By default, for a SQL server, a Firewall exists with StartIp of 0.0.0.0 and EndIP of 0.0.0.0 allowing access to all Azure services.

Additionally, a custom rule can be set up with StartIp of 0.0.0.0 and EndIP of 255.255.255.255, allowing access from ANY IP over the Internet.

To reduce a SQL server's potential attack surface, firewall rules should be defined with more granular IP addresses, referencing the range of addresses available from specific data centers.

If Allow Azure services and resources to access this server is 'Checked', this will allow resources outside of the subscription/tenant/organization boundary, within any region of Azure, to effectively bypass the defined SQL Server Network ACL on the public endpoint. A malicious attacker can successfully launch a SQL server password bruteforce attack by creating a virtual machine in any Azure subscription/region from outside the subscription boundary where the SQL Server resides.

Impact

Disabling Allow Azure services and resources to access this server will break all connections to SQL server and Hosted Databases unless custom IP-specific rules are added to the Firewall Policy.

Default Value

By default, the setting Allow Azure services and resources to access this server is set to ON.

Additional Information

Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provide any Powershell, API, CLI, or Portal option to check database-level firewall rules, and so far, Transact-SQL is the only way to check for them. For comprehensive control over egress traffic on SQL Databases, Firewall rules should be checked using SQL client.

References

https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017
https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0
https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0
https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0
[https://learn.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure]https://learn.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure()
https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current
https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-2-secure-cloud-services-with-network-controls

Remediation guidance

From Azure Console

Open the SQL server using the Open in Azure button
Under Security, click Networking
Uncheck Allow Azure services and resources to access this server
Set firewall rules to limit access to authorized connections
Save

Using Azure CLI

Disable default firewall rule Allow Azure services and resources to access this server:

az sql server firewall-rule delete --resource-group <resourceGroup> --server <sqlServerName> --name "AllowAllWindowsAzureIps"

Remove a custom firewall rule:

az sql server firewall-rule delete --resource-group <resourceGroup> --server <sqlServerName> --name <firewallRuleName>

Create an appropriate firewall rule, with the start IP address other than 0.0.0.0 and end IP address other than 0.0.0.0 or 255.255.255.255

az sql server firewall-rule create --resource-group <resourceGroup> --server <sqlServerName> --name <firewallRuleName> --start-ip-address "<startIPAddress>" --end-ip-address "<endIPAddress>"

Update a firewall rule

az sql server firewall-rule update --resource-group <resourceGroup> --server <sqlServerNamee> --name <firewallRuleName> --start-ip-address "<startIPAddress>" --end-ip-address "<endIPAddress>"

Using Azure PowerShell

Disable default firewall rule Allow Azure services and resources to access this server:

Remove-AzureRmSqlServerFirewallRule -FirewallRuleName "AllowAllWindowsAzureIps" -ResourceGroupName <resourceGroupName> -ServerName <serverName>

Remove a custom firewall rule:

Remove-AzureRmSqlServerFirewallRule -FirewallRuleName "<firewallRuleName>" -ResourceGroupName <resourceGroupName> -ServerName <serverName>

Create an appropriate firewall rule, with the start IP address other than 0.0.0.0 and end IP address other than 0.0.0.0 or 255.255.255.255

Set-AzureRmSqlServerFirewallRule -ResourceGroupName <resourceGroupName> -ServerName <serverName> -FirewallRuleName "<firewallRuleName>" -StartIpAddress "<startIPAddress>" -EndIpAddress "<endIPAddress>"

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

No Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{sqlServers(where:{firewallRules_SOME:{startIpAddress_CONTAINS:"0.0.0.0"}}){...AssetFragment}}