Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Access from Azure Services to PostgreSQL Flexible Servers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that public access from Microsoft Azure cloud services to Azure PostgreSQL flexible database servers is disabled in order to secure access to your PostgreSQL databases.

Security

Enabling access from Microsoft Azure cloud services in the firewall configuration of the PostgreSQL flexible server allows connections from all Azure cloud resources, including those from other subscriptions. While this configuration may be suitable in certain scenarios it is generally not recommended as it may pose security risks. To implement more granular access controls, you can set up up firewall rules that permit connections only from specific network ranges or by implementing VNet rules to allow access from designated virtual networks.

Audit

To determine if public access from Azure services to your PostgreSQL flexible database servers is disabled, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected PostgreSQL server.

07 In the Firewall rules section, check the Allow public access from any Azure service within Azure to this server configuration setting checkbox. If the setting checkbox is checked (i.e., enabled), the public access from the Microsoft Azure services to the selected PostgreSQL flexible database server is not disabled.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run postgres flexible-server list command (Windows/macOS/Linux) with custom output filters to list the names of all PostgreSQL flexible servers (and the name of their associated resource groups) available in the selected Azure subscription: 

az postgres flexible-server list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return a table with requested PostgreSQL server information: 

Name                     ResourceGroup
-----------------------  ------------------------------
cc-postgres-flexible-db  cloud-shell-storage-westeurope
cc-project5-flexible-db  cloud-shell-storage-westeurope

06 Run postgres flexible-server firewall-rule list command (Windows/macOS/Linux) with the name of the Azure PostgreSQL flexible server that you want to examine as the identifier parameter and custom output filters to determine if public access from Azure services to the selected server is disabled: 

az postgres flexible-server firewall-rule list
	--name cc-postgres-flexible-db
	--resource-group cloud-shell-storage-westeurope
	--query '[*].{"ruleName":name,"startIpAddress":startIpAddress,"endIpAddress":endIpAddress}'

07 The command output should return the name and the IP configuration for each firewall rule defined for the selected server: 

[
	{
		"ruleName": "AllowAllAzureServicesAndResourcesWithinAzureIps_2025-2-4_10-30-00",
		"endIpAddress": "0.0.0.0",
		"startIpAddress": "0.0.0.0"
	}
]

If the firewall-rule list command output returns a firewall rule that begins with AllowAllAzureServicesAndResourcesWithinAzureIps for "ruleName", and "0.0.0.0" for "endIpAddress" and "startIpAddress", as shown in the example above, the public access from the Microsoft Azure services to the selected PostgreSQL flexible database server is not disabled.

08 Repeat steps no. 6 and 7 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To disable public access from Microsoft Azure services to your PostgreSQL flexible database servers, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Azure Database for PostgreSQL - Flexible Server, and choose Apply to list only the Azure PostgreSQL flexible servers available in the selected subscription.

05 Click on the name (link) of the PostgreSQL flexible server that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected PostgreSQL server.

07 In the Firewall rules section, uncheck the Allow public access from any Azure service within Azure to this server setting checkbox to disable the feature and block all access from Microsoft Azure services to the selected Azure PostgreSQL flexible database server. Choose Save to apply the configuration changes. This will disable public access from unwanted Azure cloud services.

08 Repeat steps no. 5 - 7 for each PostgreSQL flexible server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run postgres flexible-server firewall-rule delete command (Windows/macOS/Linux) with the name of the Azure PostgreSQL flexible server that you want to configure as the identifier parameter, to block all access from Microsoft Azure services to the selected PostgreSQL database server by deleting the "AllowAllAzureServicesAndResourcesWithinAzureIps" firewall rule: 

az postgres flexible-server firewall-rule delete
	--rule-name "AllowAllAzureServicesAndResourcesWithinAzureIps_2025-2-4_10-30-00"
	--name cc-postgres-flexible-db
	--resource-group cloud-shell-storage-westeurope

02 Type y and press Enter to confirm the operation and delete the specified firewall rule. This will disable public access from unwanted Azure cloud services. 

Are you sure you want to delete the firewall-rule 'AllowAllAzureServicesAndResourcesWithinAzureIps_2025-2-4_10-30-00' in server 'cc-postgres-flexible-db', resource group 'cloud-shell-storage-westeurope' (y/n): y

03 Repeat steps no. 1 and 2 for each PostgreSQL flexible server provisioned in the selected Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 12, 2025

Related Sql rules