Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft
or disruption.
Depending on the component, inbound access from the Internet can be enabled via:
- a boolean value that explicitly allows access to the public network.
- the assignment of a public IP address.
- database firewall rules that allow public IP ranges.
Deciding to allow public access may happen for various reasons such as for quick maintenance, time saving, or by accident.
This decision increases the likelihood of attacks on the organization, such as:
- data breaches.
- intrusions into the infrastructure to permanently steal from it.
- and various malicious traffic, such as DDoS attacks.
Ask Yourself Whether
This cloud resource:
- should be publicly accessible to any Internet user.
- requires inbound traffic from the Internet to function properly.
There is a risk if you answered no to any of those questions.
Recommended Secure Coding Practices
Avoid publishing cloud services on the Internet unless they are intended to be publicly accessible, such as customer portals or e-commerce
sites.
Use private networks (and associated private IP addresses) and VPC peering or other secure communication tunnels to communicate with other cloud
components.
The goal is to prevent the component from intercepting traffic coming in via the public IP address. If the cloud resource does not support the
absence of a public IP address, assign a public IP address to it, but do not create listeners for the public IP address.
Sensitive Code Example
Using publicNetworkAccess
to control access to resources:
resource exampleSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'example-site'
properties: {
publicNetworkAccess: 'Enabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "example-site",
"properties": {
"siteConfig": {
"publicNetworkAccess": "Enabled"
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "example",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "example-config",
"properties": {
"publicNetworkAccess": "Enabled"
}
}
]
}
]
}
Using IP address ranges to control access to resources:
resource exampleFirewall 'Microsoft.Sql/servers/firewallRules@2014-04-01' = {
name: 'example-firewall'
properties: {
startIpAddress: '0.0.0.0'
endIpAddress: '255.255.255.255'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2014-04-01",
"name": "example-firewall",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "255.255.255.255"
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2014-04-01",
"name": "example-database",
"resources": [
{
"type": "firewallRules",
"apiVersion": "2014-04-01",
"name": "example-firewall",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "255.255.255.255"
}
}
]
}
]
}
Compliant Solution
Using publicNetworkAccess
to control access to resources:
resource exampleSite 'Microsoft.Web/sites@2020-12-01' = {
name: 'example-site'
properties: {
publicNetworkAccess: 'Disabled'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "example-site",
"properties": {
"siteConfig": {
"publicNetworkAccess": "Disabled"
}
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2020-12-01",
"name": "example-site",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "example-config",
"properties": {
"publicNetworkAccess": "Disabled"
}
}
]
}
]
}
Using IP address ranges to control access to resources:
resource exampleFirewall 'Microsoft.Sql/servers/firewallRules@2014-04-01' = {
name: 'example-firewall'
properties: {
startIpAddress: '192.168.0.0'
endIpAddress: '192.168.255.255'
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2014-04-01",
"name": "example-firewall",
"properties": {
"startIpAddress": "192.168.0.0",
"endIpAddress": "192.168.255.255"
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers",
"apiVersion": "2014-04-01",
"name": "example-database",
"resources": [
{
"type": "firewallRules",
"apiVersion": "2014-04-01",
"name": "example-firewall",
"properties": {
"startIpAddress": "192.168.0.0",
"endIpAddress": "192.168.255.255"
}
}
]
}
]
}
See