Azure MySQL firewall allows public access
Description
AlphaSOC detected configuration of an Azure MySQL Flexible Server firewall rule
that allows access from the entire internet via
Microsoft.DBforMySQL/flexibleServers/firewallRules/write. This is identified
by firewall rules with names matching the pattern AllowAll_*, which permit
connections from any IP address.
Exposing a database to the public internet is a significant security risk. This configuration allows authentication attempts from any IP address, making the database vulnerable to brute force attacks, exploitation of database vulnerabilities, and unauthorized access if credentials are compromised.
Impact
Public internet exposure of database services dramatically increases attack surface. The database becomes vulnerable to automated scanning, brute force attacks, and exploitation from any location. Data breaches, ransomware attacks targeting databases, and regulatory compliance violations may result.
Severity
| Severity | Condition |
|---|---|
Medium | MySQL firewall rule allows public access |
Investigation and Remediation
Immediately review Azure Activity logs to identify who created the public access rule. Determine if there is any legitimate business justification, which is rare for production databases.
Remove the public access firewall rule immediately unless there is documented, approved justification. Implement specific IP restrictions or use Private Link for secure connectivity. Audit database access logs for unauthorized authentication attempts and review any connections that occurred during the exposure window.