Ensure no Azure SQL Databases allow ingress from ARG_0
Why This Matters
Azure SQL Server's default firewall configuration allows any Azure service to connect, which effectively bypasses network access controls. This means a malicious attacker can create a virtual machine in any Azure subscription or region and launch brute force attacks against your SQL databases. By restricting ingress to specific IP ranges, you significantly reduce the attack surface and protect your data from unauthorized access.
What Aether365 Checks
Aether365 verifies that your Azure SQL Server firewall rules do not allow ingress from any Azure service (StartIp of 0.0.0.0 and EndIP of 0.0.0.0) or from the entire internet (StartIp of 0.0.0.0 and EndIP of 255.255.255.255). This check appears in the Aether365 dashboard under the azure-azure-sql-firewall category.