SQL Database service firewall exposes a broad range of addresses#
Security · SQL Database · Rule · 2020_06 · Important
Each IP address in the permitted IP list is allowed network access to any databases hosted on the same logical server.
Description#
The Azure SQL database service firewall is an important security control, that help restrict network access to data. Access to a database still requires an identity with permissions to read the data in addition to network access. Combining network and identity controls together further harden your environment against, use of compromised identities during lateral traversal and misuse of credentials.
Typically the number of IP address rules permitted through the firewall is minimal, with management connectivity from on-premises and cloud application connectivity the most common. Excessive access from many IP addresses may indicate weak network security controls.
Recommendation#
Consider reducing the size or count of the IP ranges in the Firewall rules so that the total Allowed IPs are less than (10).
Notes#
This rule assesses the combined IP addresses from each Allowed IP firewall entry to check that the total allowed addresses is less than (10).
Links#
- SE:06 Network controls
- Azure SQL Database and Azure Synapse IP firewall rules
- Create and manage IP firewall rules
- Azure deployment reference