PostgreSQL Database ingress traffic should be restricted to specified IP addresses

azure.security
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Ensure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).

Rationale

PostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.

Impact

Disabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.

Remediation

From the console

  1. Go to PostgreSQL servers
  2. For each PostgreSQL server, click on Firewall / Virtual Networks
  3. Set Allow access to Azure services to OFF
  4. Set firewall rules to limit access to only authorized connections

Using PowerShell

Disable default firewall rule “Allow access to Azure services”:

Remove-AzPostgreSqlFirewallRule -Name "AllowAllWindowsAzureIps" -ResourceGroupName <resource group name> -ServerName <server name>

Remove custom firewall rule:

Remove-AzPostgreSqlFirewallRule -Name <name> -ResourceGroupName <resource group name> -ServerName <server name>

Set the appropriate firewall rules:

New-AzPostgreSqlFirewallRule -Name "<rule name>" -ResourceGroupName "<resource group name>" -ServerName "<server name>" -EndIPAddress "<IP Address other than 0.0.0.0>" -StartIPAddress "<IP Address other than 0.0.0.0 or 255.255.255.255>"

References

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules
PREVIEWING: dgreen15/github-error-fix