Can you recommend the best/simplest way to regularly audit the IP Address Whitelists of the following Azure Resources: API Gateway, Storage Account, Function App, SQL Server/DBs

FredFred 1 Reputation point
2020-05-26T18:14:17.8+00:00

What is the simplest approach to auditing the IP Address Whitelists for the following Azure resources: API Gateways, Function Apps, Storage Accounts, and SQL Databases/Servers?

We control access to those Azure Resources to an approved list of IP Addresses. We want to regularly check those lists and compare them to a baseline.

My original idea was to write a Powershell script that queried all of those resources' Whitelists and comparing to my approved list. But now I find that there's no Powershell script to query Database level firewall rules, only servers. I can use T-SQL, but I wanted to keep it simple and use a single tool.

Is there another tool that would make that simpler? Or another way to use Powershell to gather all that info? I had also considered using LogAnalytics to alert support if a log that would create or modify those firewall comes through any of those resources.

Can anyone offer a different approach that I may be missing? Or a modification on my current approach that would minimize "the administrative overhead" of this activity?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,698 questions
Azure SQL Database
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,119 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,608 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. ErikEJ 341 Reputation points MVP
    2020-05-26T18:52:49.65+00:00

    You can only use SQL for database level firewall rules, but you can execute SQL from PowerShell.

    0 comments No comments

  2. FredFred 1 Reputation point
    2020-06-03T22:36:44.227+00:00

    Is there an existing solution for testing this sort of thing regularly? Without having to build the entire solution myself? Surely there are others trying to audit their IP Address Whitelists.


  3. Jaguaraci Silva 81 Reputation points
    2020-09-25T16:50:51.257+00:00

    Hi,

    use Azure Cloud shell for running a single script file:

    1) you can create security groups by application and filter the network traffic by client IP using a whitelist -> https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic-cli

    2) connect to Azure databases using database command prompt (e.g. sqlcmd) and execute sp_set_database_firewall_rule to set firewall rules on database.

    0 comments No comments

  4. AdrianaNascimento-6675 1 Reputation point
    2022-11-25T16:48:39.087+00:00

    prezados, estou a conta sendo usada por 3[ pessoa peço critério are que revela-se: asn

    0 comments No comments