Share via

Deny public access policy not working in Azure

MrFlinstone 501 Reputation points
2024-01-25T23:25:15.5766667+00:00

I have used the built in Azure policy which stops public network access for sql server and sql database, the option for sql server doesnt give you the option to deny, however public access for SQL database has an option to deny.

I assigned these 2 policies to my subscription and then on to test them, I created a SQL server and a SQL database. For the SQL server under the network settings, there are only 2 options under public access.

  • Disabled
  • Selected networks

Under selected networks, there is a small caption with the following.

Only approved private endpoint connections will be accepted by this resource. Any existing firewall rules or virtual network endpoints will be retained, but disabled.

I do not understand this, is this the policy that I created that has stipulated this ?

To test the policy, I chose selected networks and under firewall rules, add your client ipv4 IP address which in this case is public and not a private endpoint address.

Click on add and then save, I get the error.

Unable to create or modify firewall rules when public network interface for the server is disabled. To manage server or database level firewall rules, please enable the public network interface.

Not sure what is enforcing this, I dont think it is the policy I created as I do not get the custom message that I configured. Not sure what is stopping the creation of a public IP address, the good thing here is that its stopping public network access, but I do not understand what is stopping it.

Any ideas.

Azure SQL Database
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
806 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 16,146 Reputation points
    2024-01-26T10:38:33.4733333+00:00

    The Azure policy you mentioned is designed to restrict public network access to SQL Server and SQL Database. This is a security best practice to prevent unauthorized access.

    In your SQL Server's network settings, the options you're seeing ('Disabled' and 'Selected Networks') relate to how the SQL Server can be accessed:

    • Disabled: No public network access is allowed.
    • Selected Networks: Only allows access from specific networks or IP addresses you define.

    The error you're having indicates that the public network access is disabled. This is consistent with a policy that denies public network access.

    I think that the Azure policy is effectively working by overriding the network settings at the SQL Server level. When the policy is applied, it might not explicitly state that it's blocking the action, but its effect is to prevent the enabling of public access or the addition of firewall rules that would allow public access.

    0 comments
  2. Oury Ba-MSFT 16,736 Reputation points Microsoft Employee
    2024-01-31T00:09:48.3266667+00:00

    @MrFlinstone Thank you for reaching out. I absolutely agreed with Amira Bedhiafi's answer. I do not understand this, is this the policy that I created that has stipulated ___this?___When Public network access is set to Disable, only connections from private endpoints are allowed. All connections from public endpoints will be denied with an error message similar to: Azure Policy may have been created that is blocking you to configure rules on Azure SQL firewall.User's image

    The error message "Unable to create or modify firewall rules when public network interface for the server is disabled. To manage server or database level firewall rules, please enable the public network interface" indicates that when Public network access is set to Disable, any attempts to add, remove, or edit any firewall rules will be denied with an error message similar to the above. Ensure that public network access is set to Selected networks to be able to add, remove, or edit any firewall rules for Azure SQL Database. Regards, Oury