Share via


Azure Policy built-in definitions for Azure Database for MariaDB

Important

Azure Database for MariaDB is on the retirement path. We strongly recommend that you migrate to Azure Database for MySQL. For more information about migrating to Azure Database for MySQL, see What's happening to Azure Database for MariaDB?.

This page is an index of Azure Policy built-in policy definitions for Azure Database for MariaDB. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Database for MariaDB

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers Enable Advanced Threat Protection on your non-Basic tier Azure database for MariaDB servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 1.2.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MariaDB servers (microsoft.dbformariadb/servers). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Geo-redundant backup should be enabled for Azure Database for MariaDB Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. Audit, Disabled 1.0.1
MariaDB server should use a virtual network service endpoint Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for MariaDB while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for MariaDB has virtual network service endpoint being used. AuditIfNotExists, Disabled 1.0.2
Private endpoint should be enabled for MariaDB servers Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. AuditIfNotExists, Disabled 1.0.2
Public network access should be disabled for MariaDB servers Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. Audit, Deny, Disabled 2.0.0

Next steps