Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable "Allow access to Azure services" for PostgreSQL database servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: PostgreSQL-014

Ensure that the access from Microsoft Azure cloud services to Azure Database for PostgreSQL servers is disabled in order secure access to PostgreSQL databases by allowing access from trusted Virtual Networks (Vnets) only.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling access from Microsoft Azure cloud services in the firewall configuration of the PostgreSQL database server allows connections from all Azure cloud resources, including those from other subscriptions. While this configuration may be suitable in certain scenarios it is generally not recommended as it may pose security risks. To implement more granular access controls, you can set up up firewall rules that permit connections only from specific network ranges or by implementing VNet rules to allow access from designated virtual networks. This approach enhances security by limiting access to trusted, authorized sources.


Audit

To determine if the "Allow access to Azure services" setting is disabled for PostgreSQL database servers, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server and choose Apply to list only the PostgreSQL servers available within your Azure cloud account.

04 Click on the name (link) of the PostgreSQL database server that you want to examine.

05 In the navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL server.

06 On the Connection security configuration page, in the Firewall rules section, check the Allow access to Azure services setting status. If the setting status is set to Yes, the access from Azure cloud services to PostgreSQL database server is not disabled for the selected Azure Database for PostgreSQL server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server available within the current Azure subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server list command (Windows/macOS/Linux) using custom query filters to list the names of all PostgreSQL database servers (and the name of their associated resource groups) available in the current Azure subscription:

az postgres server list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested PostgreSQL server information:

Name                  ResourceGroup
--------------------  ------------------------------
cc-production-server  cloud-shell-storage-westeurope
cc-postgresql-server  cloud-shell-storage-westeurope

03 Run postgres server firewall-rule list command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to examine as the identifier parameter and custom query filters to determine the "Allow access to Azure services" setting status for the selected database server:

az postgres server firewall-rule list
  --server cc-production-server
  --resource-group cloud-shell-storage-westeurope
  --query '[*].{"ruleName":name,"startIpAddress":startIpAddress,"endIpAddress":endIpAddress}'

04 The command output should return the requested configuration information:

[
	{
		"ruleName": "AllowAllWindowsAzureIps",
		"endIpAddress": "0.0.0.0",
		"startIpAddress": "0.0.0.0"
	}
]

If the postgres server firewall-rule list command output returns "AllowAllWindowsAzureIps" for "ruleName", and "0.0.0.0" for "endIpAddress" and "startIpAddress", as shown in the example above, the "Allow access to Azure services" setting is enabled, therefore the access from Azure cloud services to the selected Azure Database for PostgreSQL server is not disabled.

05 Repeat step no. 3 and 4 for each Azure PostgreSQL server provisioned in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable in-transit encryption by enforcing SSL connections between your PostgreSQL database servers and your client applications, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server and choose Apply to list the PostgreSQL servers available within your Azure cloud account.

04 Click on the name of the PostgreSQL database server that you want to configure.

05 In the resource navigation panel, under Settings, select Connection security to access the connection security settings for the selected PostgreSQL server.

06 On the Connection security configuration page, in the Firewall rules section, select No next to Allow access to Azure services to disable the "Allow access to Azure services" setting and block all access from Azure cloud services to the selected Azure Database for PostgreSQL server.

07 Choose Save to apply the configuration changes.

08 Repeat steps no. 4 – 7 for each PostgreSQL database server available within the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres server firewall-rule delete command (Windows/macOS/Linux) using the name of the Azure PostgreSQL server that you want to configure as the identifier parameter to block all access from Azure cloud services to the selected Azure Database for PostgreSQL server by deleting the "AllowAllWindowsAzureIps" firewall rule (the command does not produce an output):

az postgres server firewall-rule delete
  --name AllowAllWindowsAzureIps
  --server cc-production-server
  --resource-group cloud-shell-storage-westeurope

02 Type y and press Enter to confirm the operation and delete the specified firewall rule:

Are you sure you want to perform this operation? (y/n): y

03 Repeat steps no. 1 and 2 for each PostgreSQL database server available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 29, 2019