Ensure that the access from Microsoft Azure cloud services to Azure Database for PostgreSQL servers is disabled in order secure access to PostgreSQL databases by allowing access from trusted Virtual Networks (Vnets) only.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Enabling access from Microsoft Azure cloud services in the firewall configuration of the PostgreSQL database server allows connections from all Azure cloud resources, including those from other subscriptions. While this configuration may be suitable in certain scenarios it is generally not recommended as it may pose security risks. To implement more granular access controls, you can set up up firewall rules that permit connections only from specific network ranges or by implementing VNet rules to allow access from designated virtual networks. This approach enhances security by limiting access to trusted, authorized sources.
Audit
To determine if the "Allow access to Azure services" setting is disabled for PostgreSQL database servers, perform the following actions:
Remediation / Resolution
To enable in-transit encryption by enforcing SSL connections between your PostgreSQL database servers and your client applications, perform the following actions:
References
- Azure Official Documentation
- Security Control v3: Network security
- Firewall rules in Azure Database for PostgreSQL - Single Server
- Quickstart: Create an Azure Database for PostgreSQL server by using the Azure CLI
- Azure Command Line Interface (CLI) Documentation
- az postgres server list
- az postgres server firewall-rule list
- az postgres server firewall-rule delete