Verify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
Why this matters
Enforcing SSL connections ensures that data transmitted between client applications and the PostgreSQL database server is encrypted in transit. This protects sensitive information—such as credentials and query data—from interception or tampering by malicious actors.
Without SSL enforcement, unencrypted traffic may be vulnerable to "man-in-the-middle" (MitM) attacks, exposing organizations to both operational and compliance risks. Enabling this setting is a foundational control for maintaining secure data flows in cloud environments.
What this check does
This Auto Check verifies whether SSL enforcement is enabled on the PostgreSQL server.
Check Logic:
Passes if:
The sslEnforcement
parameter is set to Enabled
.
Fails if:
The parameter is unset, null, or set to Disabled
.
Applies to:
- Azure PostgreSQL Single Server
- Azure PostgreSQL Flexible Server
- The check queries the SSL enforcement setting via Azure's management API.
How to fix it
Use the Azure Portal, CLI, or PowerShell to enforce SSL connections.
Azure Portal:
- Go to your PostgreSQL server in the Azure Portal.
- Navigate to Connection security.
- Locate the Enforce SSL connection setting.
- Set it to Enabled and click Save.
Azure CLI:
az postgres server update \
--resource-group <resourceGroupName> \
--name <serverName> \
--ssl-enforcement Enabled
PowerShell:
Update-AzPostgreSqlServer `
-ResourceGroupName "<ResourceGroupName>" `
-ServerName "<ServerName>" `
-SslEnforcement Enabled
Replace the placeholders with values relevant to your Azure deployment.
Exceptions
No standard exceptions are recommended. If SSL enforcement must be disabled for application compatibility, document the business justification and implement compensating controls such as application-level encryption or private networking.