Share via

Azure database firewall rules not working / database exposed to internet

LuisEnrique-8691 20 Reputation points
2023-06-21T18:08:03.9766667+00:00 
Hello how are you I am new
Sorry for my English
I have a problem with my azure database, despite the fact that I configured the firewall rules of only specific IPs can access it, I can still see it and try to access it from the internet. For example, try by nmap from a device that is not allowed from the internet and I succeed see open port, I can also access telnet through port 
1433 
# telnet mydatabase.windows.net 1433 responds to me without problems and should not be 
with the command # nmap -p- -sC -sV mydatabase.windows.net -v
 I also see reading without problem and it shouldn't be either    

Help me Please!

User's image

Azure SQL Database
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
981 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,566 questions
0 comments
Accepted answer
  1. Oury Ba-MSFT 20,901 Reputation points Microsoft Employee Moderator
    2023-06-21T22:58:47.7966667+00:00

    @LuisEnrique-8691 Thnk you for reaching out.

    Sorry to hear about the issue you are facing.

    What @Alberto Morillo mentioned above is correct. What is allowing nmap or telnet to connect is the Azure SQL Public Gateway not the Azure SQL Database itself.

    This is an expected behavior in Azure Database. These ports are required to provide a variety of Azure services.

    You might be reaching the public Gateway, that is open for everyone.

    You can nmap or telnet to them from everywhere but that doesn't mean that you are connecting to the database itself. It is not an issue; this is by design.

    See An overview of Azure SQL Database and SQL Managed Instance security capabilities and the best practices in the Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance .

    Regards,

    Oury

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alberto Morillo 34,671 Reputation points MVP Volunteer Moderator
    2023-06-21T20:39:45.0133333+00:00

    In reality what is allowing nmap or telnet to connect is the Azure SQL Public Gateway not the Azure SQL Database itself. See the following explanation and why what you are seeing is the response from the Azure SQL Gateway.

    A Azure SQL Database server is an abstraction, a logical container that defines a grouping of databases. It does not represent a SQL Server instance listening in a public address and represent a single connection endpoint for all the databases.

    For example if you ping a server's FQDN, like [servername.database.windows.net] you get the public gateway IP. If you ping any other SQL DB server in the same region, you would get one of the other possible IPs for the gateway in that Azure region.

    These IPs are shared by all the SQL DB servers in the same region. It's a gateway that receives all incoming connections and redirects them to the SQL instance running the requested database in the right database cluster.

    Source here.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.