Azure Database for MySQL server not configured with private endpoint
Description
This policy checks whether Azure MySQL database servers are configured with private endpoints. Private endpoint connections are essential for ensuring secure communication, establishing exclusive, private connectivity to Azure Database for MySQL. Configuring a private endpoint ensures access only from recognized networks, preventing entry from potentially malicious or unknown IP addresses, including those within Azure. It is recommended to establish a private endpoint to enhance the security of communication for your Azure MySQL database.
Code Example
go
resource "azurerm_mysql_server" "example" {
name = "example-mysql-server"
//...
}
resource "azurerm_private_endpoint" "example" {
name = "example-private-endpoint"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.example.id
private_service_connection {
name = "example-privateserviceconnection"
private_connection_resource_id = azurerm_mysql_server.example.id
subresource_name = "mysqlServer"
is_manual_connection = false
}
}Remediation
Terraform
- Resource: azurerm_mysql_server, azurerm_private_endpoint
- Arguments: private_connection_resource_id
To fix this issue and establish secure communication with your network, configure your Azure MySQL server with a private endpoint.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0801 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_44 |