Ensure Public Network Access is Disabled for SQL Servers

Overview

Disabling public network access restricts the service from accessing public networks.

Rationale

A secure network architecture requires carefully constructed network segmentation. Public Network Access tends to be overly permissive and introduces unintended vectors for threat activity.

Impact

Some architectural considerations may be necessary to ensure that network connectivity is available. No additional cost or performance impact is required to deploy this recommendation.

Default Value

By default, Azure SQL Server's Public network access is set to Disable.

Remediation guidance

From Azure Portal

Open the SQL server using the Open in Azure button
Under Security, click Networking.
Set Public network access to Disable.
Click Save.

From Azure CLI

For each SQL server with publicNetworkAccess Enabled, set it to Disabled:

az sql server update -n <sqlServerName> -g <resourceGroup> --set publicNetworkAccess="Disabled"

From PowerShell

For each SQL server with PublicNetworkAccess Enabled, set it to Disabled:

Set-AzSqlServer -ServerName <sqlServerName> -ResourceGroupName <resourceGroup> -PublicNetworkAccess "Disabled"

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure SQL Servers allowing public access

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{
  sqlServers(where: { publicNetworkAccess: "Enabled" }) {
    ...AssetFragment
  }
}