Verify that 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Last updated: April 9, 2026

Framework Reference: 7.7 Network Access Restrictions – Azure PostgreSQL (Level 1)

Why this matters

The setting Allow access to Azure services permits connections from all Azure resources to the PostgreSQL server firewall.

If enabled:

  • Any Azure resource (including those outside your subscription) may attempt to connect

  • Network exposure increases significantly

  • Segmentation boundaries are weakened

  • Risk of lateral movement or unauthorized access increases

  • This configuration is overly permissive in most environments.

  • Best practice is to:

  • Define specific firewall rules for trusted IP ranges, or

  • Use VNet integration and private endpoints

  • Access should be explicitly scoped—not broadly trusted.

What this check does

This Auto Check verifies that PostgreSQL servers do not allow unrestricted access from all Azure services.

Check Logic

Passes if:

  • The firewall does not contain a rule named AllowAllWindowsAzureIps, and

  • No firewall rule allows:

  • startIpAddress = 0.0.0.0

  • endIpAddress = 0.0.0.0

Fails if:

  • The AllowAllWindowsAzureIps rule exists, or

  • A firewall rule allows 0.0.0.0 access.

Applies to:

  • Azure Database for PostgreSQL – Single Server

  • Azure Database for PostgreSQL – Flexible Server

  • The check evaluates firewall rules via Azure management APIs.

How to fix it

Disable broad Azure service access and restrict network access properly.

Azure Portal

  1. Log in to https://portal.azure.com.

  2. Navigate to Azure Database for PostgreSQL servers.

  3. Select the PostgreSQL server.

  4. Click Connection security.

  5. Under Firewall rules, set Allow access to Azure services to No.

  6. Click Save.

  7. Repeat for each server.

Azure CLI

List firewall rules:

az postgres server firewall-rule list \  --resource-group <resourceGroupName> \  --server <serverName>

Delete the broad access rule:

az postgres server firewall-rule delete \  --name AllowAllWindowsAzureIps \  --resource-group <resourceGroupName> \  --server-name <serverName>

Replace placeholders accordingly.

Default value

The PostgreSQL firewall blocks all access by default unless explicitly configured.

Impact

  • Azure resources will no longer automatically connect to the database.

  • Applications must connect via:

  • Explicit firewall IP rules, or

  • VNet rules / Private Endpoints

  • Improper remediation without network planning may cause connectivity failures.

Exceptions

In rare cases where broad Azure access is temporarily required:

  • Document business justification.

  • Implement compensating controls such as:

  • Strict identity-based access controls

  • Monitoring and logging

  • Network segmentation

  • Unrestricted Azure-wide access should not be a permanent configuration.

References

  1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules

  2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli 

  3. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries 

  4. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-6-deploy-web-application-firewall