Ensure Azure MySQL Flexible Server is configured with private endpoint
Description
This policy checks whether an Azure MySQL Flexible Server is configured with a private endpoint, which is essential for securing the server's network connectivity. Without a private endpoint, the server may be exposed to the public internet, increasing the risk of unauthorized access. Configuring a private endpoint ensures that the server can only be accessed through a private IP address, reducing the attack surface. This is particularly important for databases that store sensitive data.
Code Example
terraform
resource "azurerm_private_endpoint" "example" {
name = "example-pe"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
subnet_id = azurerm_subnet.example.id
}
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.mysql.database.azure.com"
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_private_dns_zone_group" "example" {
name = "example-zg"
private_dns_zone_id = azurerm_private_dns_zone.example.id
resource_group_name = azurerm_resource_group.example.name
private_endpoint_id = azurerm_private_endpoint.example.id
}
resource "azurerm_mysql_flexible_server" "example" {
name = "example-srv"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
private_dns_zone_group_id = azurerm_private_dns_zone_group.example.id
}Remediation
Configure a private endpoint for the Azure MySQL Flexible Server by creating an azurerm_private_endpoint resource and connecting it to the server.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0813 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | azurerm_mysql_flexible_server |
| Checkov ID | CKV2_AZURE_56 |