Azure SQL Database server not configured with private endpoint
Description
This policy checks whether Azure SQL database servers are configured with private endpoints. Private endpoint connections are essential for ensuring secure communication, establishing exclusive, private connectivity to Azure Database for SQL. Configuring a private endpoint ensures access only from recognized networks, preventing entry from potentially malicious or unknown IP addresses, including those within Azure. It is recommended to establish a private endpoint to enhance the security of communication for your Azure SQL database.
Code Example
resource "azurerm_private_endpoint" "example" {
name = "example-endpoint"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
subnet_id = azurerm_subnet.example.id
private_service_connection {
name = "example-connection"
is_manual_connection = false
private_connection_resource_id = azurerm_sql_server.example.id
subresource_name = "sqlServer"
}
}
resource "azurerm_sql_server" "example" {
...
}Remediation
Terraform
- Resource: azurerm_mssql_server, azurerm_private_endpoint
- Arguments: private_connection_resource_id
To fix this issue and establish secure communication with your network, configure your Microsoft SQL server with a private endpoint. This ensures that your server is not publicly accessible and can only be accessed from within your virtual network.
The following is a script to create a Microsoft SQL server with a private endpoint.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0802 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AZURE_45 |