Sometimes I run into things in cloud that really just blow my mind away. Not that long ago I learned how you can give everyone in Azure, no matter what subscription or region they are in, an access to your database. And it was super easy too. It’s just one click to allow whole (Azure) world to start accessing your data.
Is this something I wanted to do, or would I recommend anyone to do it? No, not really. Also the documentation around this particular setting was less than great, so I decided to share what I learned.
Getting to know your enemy
The setting in question is one that you can find from Firewall settings when managing Azure SQL Database, the PaaS version. It’s also there for all the other PaaS databases, like Azure Database for PostgreSQL and MySQL.
It’s called: “Allow Azure services and resources to access this server” and it’s just a click of a button to turn it on.
Originally that didn’t sound too ominous, I mean we all want our databases to be accessed by the applications, right? And if that was somehow dangerous setting, certainly there would be some warnings around this right? I decided to look at the official documentation then.
I found this option explained in at least 3 different places, and most of the explanations were slightly different. Here’s all of them from least horrifying to most horrifying.
This page called: “Quickstart: Create a server-level firewall rule for single and pooled databases using the Azure portal” didn’t really make it seem too bad. Naturally all our Azure services should be allowed access. However something on that wording seemed weird, so I dug a little deeper.
The next documentation had some hair on back of my neck already standing up.
This page called: “Use virtual network service endpoints and rules for database servers” was already saying that hey, there might be some excessive access here. It also said something along the lines of ranged defined for Azure data centers. So maybe that meant that everyone in the same data center is able to access your data? That does sound bit excessive for sure!
Luckily there was one more documentation to be found!
The page called: “Azure SQL Database and Azure SQL Data Warehouse IP firewall rules” points out that this setting allows all connections from Azure. Now I was properly terrified about this setting, but I was left wondering..
Why does it exist?
I honestly don’t know, however I’ve seen more than few mentions saying that this is required for some services like Data Sync in Azure. If so, then this does seem like kind of lazy approach, like giving your monitoring software sysadmin permissions because you didn’t bother figuring out what privileges are actually needed.
Not that I’ve ever done that myself.
Also things do change quite often and quickly in the cloud, f.ex. these days there are already some new options in database firewalls.
Unfortunately the links next to buttons don’t actually work at the moment, but you can find information about the connectivity architecture from here and information about the Deny public network access from here. Basically that is the setting to only allow access via private endpoints.
What did I learn from this?
To find multiple sources to verify the information from. As things keep evolving in ever increasing speed not all the information always gets updated in the same cycle, and when you have multiple sources some will always be more accurate than others.
Also, while cloud platforms are designed to be secure, it only takes one person to make the services hosted there less so.