Verify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)

Why this matters

Allowing public ingress from 0.0.0.0/0 (any IP) exposes your SQL database to the entire internet, drastically increasing the attack surface and risk of unauthorized access. Tightening firewall rules to restrict access to known IP ranges is essential to maintain a secure network perimeter and meet compliance requirements.

What this check does

This Auto Check verifies that no firewall rule is configured to allow traffic from 0.0.0.0/0, 255.255.255.255, or named AllowAllWindowsAzureIps.

Check Logic

Passes if:

• No firewall rule allows StartIpAddress = 0.0.0.0
• No rule ends at EndIpAddress = 255.255.255.255
• Rule name is not AllowAllWindowsAzureIps

Fails if:

• Any rule allows full public ingress (e.g. 0.0.0.0/0)

Applies to:

• Azure SQL Server
• Azure SQL Database

How to fix it

Azure Portal

Go to SQL servers

Select the server

Navigate to Networking

Uncheck Allow Azure services and resources to access this server

Delete any firewall rule where:

Start IP = 0.0.0.0

End IP = 255.255.255.255

Rule name is AllowAllWindowsAzureIps

Azure CLI

# Delete the default open access rule az sql server firewall-rule delete \  --resource-group <resourceGroupName> \  --server <sqlServerName> \  --name "AllowAllWindowsAzureIps" # Delete any custom wide-open rules az sql server firewall-rule delete \  --resource-group <resourceGroupName> \  --server <sqlServerName> \  --name <customRuleName> # Create more restrictive firewall rule az sql server firewall-rule create \  --resource-group <resourceGroupName> \  --server <sqlServerName> \  --name <secureRuleName> \  --start-ip-address "<allowedStartIP>" \  --end-ip-address "<allowedEndIP>" 

PowerShell

# Remove insecure rules Remove-AzSqlServerFirewallRule `  -FirewallRuleName "AllowAllWindowsAzureIps" `  -ResourceGroupName <resourceGroupName> `  -ServerName <sqlServerName> Remove-AzSqlServerFirewallRule `  -FirewallRuleName "<customRuleName>" `  -ResourceGroupName <resourceGroupName> `  -ServerName <sqlServerName> # Add secure rule Set-AzSqlServerFirewallRule `  -ResourceGroupName <resourceGroupName> `  -ServerName <sqlServerName> `  -FirewallRuleName "<secureRuleName>" `  -StartIpAddress "<allowedStartIP>" `  -EndIpAddress "<allowedEndIP>"

Exceptions

No technical exceptions. In rare Dev/Test scenarios, public access may be temporarily allowed but must be removed before production. All exceptions must be time-boxed and documented.

Further resources

• Azure SQL Firewall Configuration
• Azure CLI – List SQL Firewall Rules
• Azure PowerShell – Remove Firewall Rule
• Security Benchmark: NS-2 – Secure Cloud-Native Services