Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Connection Throttling for PostgreSQL Flexible Servers

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-016

Ensure that connection throttling is enabled for your Azure Database for PostgreSQL flexible servers. To enable this feature, set the "connection_throttle.enable" parameter to "ON" in the PostgreSQL server configuration. The "connection_throttle.enable" parameter activates temporary connection throttling per IP address in response to too many invalid login failures."

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling connection throttling helps generate logging data regarding concurrent connections. This logging data can be used to identify PostgreSQL flexible database servers that are degraded by an overload of legitimate users or to detect Distributed Denial of Service (DDoS) attacks that exhaust network resources.

Audit

To determine if connection throttling is enabled for your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to examine.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

07 On the Server parameters page, select the All tab, and find the connection_throttle.enable configuration parameter using the Search to filter items search box. Check the connection_throttle.enable parameter value, listed in the Value column to determine the connection throttling feature status. If the parameter value is set to OFF, connection throttling is not enabled for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run postgres flexible-server list command (Windows/macOS/Linux) with custom output filters to list the names of all PostgreSQL flexible servers (and the name of their associated resource groups) available in the selected Azure subscription: 

az postgres flexible-server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested PostgreSQL server information: 

Name                     ResourceGroup
-----------------------  ------------------------------
cc-postgres-flexible-db  cloud-shell-storage-westeurope
cc-project5-flexible-db  cloud-shell-storage-westeurope

06 Run postgres flexible-server parameter show command (Windows/macOS/Linux) with the name of the Azure PostgreSQL flexible server that you want to examine and its associated resource group as the identifier parameters, to get the connection_throttle.enable parameter value for the selected PostgreSQL server in order to determine the connection throttling feature status: 

az postgres flexible-server parameter show
	--server-name "cc-postgres-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name connection_throttle.enable
	--query 'value'

07 The command output should return the requested configuration value ("ON" or "on" for enabled, "OFF" or "off" for disabled): 

"off"

If the postgres flexible-server parameter show command output returns "OFF", as shown in the example above, connection throttling is not enabled for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 6 and 7 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To enable connection throttling for your Azure PostgreSQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to configure.

06 In the resource navigation panel, under Settings, select Server parameters to access the configuration parameters available for the selected PostgreSQL server.

07 On the Server parameters page, perform the following actions:

  1. Select the All tab and find the connection_throttle.enable configuration parameter using the Search to filter items search box.
  2. Once the connection_throttle.enable server parameter is found, enable the parameter by toggling it ON in the Value column.
  3. Choose Save to apply the configuration changes. This will enable connection throttling for the selected Azure PostgreSQL flexible database server.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres flexible-server parameter set command (Windows/macOS/Linux) with the name of the PostgreSQL flexible server that you want to configure as the identifier parameter, to enable the connection_throttle.enable server parameter for the selected database server. This will enable connection throttling for the selected Azure PostgreSQL flexible server: 

az postgres flexible-server parameter set
	--server-name "cc-postgres-flexible-db"
	--resource-group "cloud-shell-storage-westeurope"
	--name connection_throttle.enable
	--value on

02 The command output should return the information available for the configured server parameter: 

{
	"allowedValues": "on,off",
	"dataType": "Boolean",
	"defaultValue": "off",
	"description": "Enables temporary connection throttling per IP for too many login failures.",
	"documentationLink": null,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DBforPostgreSQL/flexibleServers/cc-postgres-flexible-db/configurations/connection_throttle.enable",
	"isConfigPendingRestart": false,
	"isDynamicConfig": true,
	"isReadOnly": false,
	"name": "connection_throttle.enable",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"source": "user-override",
	"systemData": null,
	"type": "Microsoft.DBforPostgreSQL/flexibleServers/configurations",
	"unit": null,
	"value": "on"
}

03 Repeat steps no. 1 and 2 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 28, 2025

Related PostgreSQL rules