| Plugin Title | SQL Server Public Access |
| Cloud | AZURE |
| Category | SQL Server |
| Description | Ensures that SQL Servers do not allow public access |
| More Info | Unless there is a specific business requirement, SQL Server instances should not have a public endpoint and should only be accessed from within a VNET. |
| AZURE Link | https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview/ |
| Recommended Action | Ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address. |
- Log into the Microsoft Azure Management Console.
- Select the "Search resources, services, and docs" option at the top and search for SQL servers.
- On the "SQL server" page, select the SQL server that needs to be examined.
- On the selected "SQL server" page, scroll down the left navigation panel and select " Firewalls and virtual networks" under the "Security" column.
- On the "Firewalls and virtual networks" page, if "Allow Azure services and resources to access this server" is "ON" then the selected "SQL server" allow public access.
- Repeat steps number 2 - 5 to verify other "SQL servers" in the account.
- Navigate to "SQL servers", on the "SQL servers" page select the "SQL server", scroll down the left navigation panel and choose "Firewalls and virtual networks" under the "Security."
- On the "Firewalls and virtual networks" page, click on the "OFF" option next to the "Allow Azure services and resources to access this server" and "Save" the changes.
- If no "VNET" is configured, scroll down the page and click on the "Add existing virtual network".
- On the "Create/Update" page, select the "Subscription", "Virtual network", "Subnet name" and click on "OK" at the bottom of the page.
- Click on the "Save" button to make the changes.
- Repeat steps number 7 - 11 to ensure that the firewall of each SQL Server is configured to prohibit traffic from the public 0.0.0.0 global IP address.
