Share via

SQL PaaS default security configuration

Stephen 6 Reputation points
2021-03-09T10:37:56.077+00:00

We recently looked at deploying some new SQL PaaS instances and were presented with the SQL Connectivity Settings in the Server Firewall within the Azure portal. As can be seen in the first image on this docs article (https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings#deny-public-network-access) the default setting is to allow public access, ie "Deny Public Access = NO".

We believe this should be default set to be "Deny Public Access = YES", therefore being least privilege at the start and secured out of the box on an Azure SQL Server instance. If public access is needed the customer needs to enable both this setting and configure SQL firewall rules to support their connectivity requirements. Therefore the tooltips, documentation and other onboarding wizards will need updating to address this configuration decision.

Hope you agree, and maybe this isnt the only similar resource in Azure that could be more secure from the initial deployment and put the active choice into the hands of the customer.
many thanks
Stephen

Azure SQL Database
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vaibhav Chaudhari 38,976 Reputation points Volunteer Moderator
    2021-03-09T11:05:01.403+00:00

    Agree with you. The tooltip should be updated with more details but it currently just has a link to documentation.

    If this is not a question but suggestion/feedback on documentation or change in default settings behavior, you may post it in below. The feedbacks are monitor by product team and taken up based on priority and votes -

    https://feedback.azure.com/forums/217321-sql-database

    Please don't forget to Accept Answer and Up-vote if the response helped -- Vaibhav

  2. KalyanChanumolu-MSFT 8,356 Reputation points
    2021-03-10T03:36:10.953+00:00

    @Stephen Thank you for reaching out.
    You are right. For complete isolation from public internet, Deny Public Access should be set to Yes.
    This also means that customers will now have to go through creating and managing services like Azure Private Endpoint or Azure Private Link
    Some customers have their workloads on multiple cloud providers and need to connect to Azure SQL Database over public internet.

    When customers have a database that is exposed, new tooltips encourage customers to create a private end point and deny public internet access.

    Over

    Azure Security Center identifies and makes recommendations accordingly.

    76132-image.png

    As of today, to cater to all generic use cases, Deny Public Access is not currently enforced by default while sensitizing customers on the subject and encouraging them to take action.

    Your suggestion is definitely valid, please do post it here

    ----------

    If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.