Azure Policy built-in definitions for Azure Database for PostgreSQL
APPLIES TO: 
Azure Database for PostgreSQL - Single Server
Important
Azure Database for PostgreSQL - Single Server is on the retirement path. We strongly recommend that you upgrade to Azure Database for PostgreSQL - Flexible Server. For more information about migrating to Azure Database for PostgreSQL - Flexible Server, see What's happening to Azure Database for PostgreSQL Single Server?.
This page is an index of Azure Policy built-in policy definitions for Azure Database for PostgreSQL. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Database for PostgreSQL
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Azure Database for PostgreSQL Flexible Server should be Zone Resilient | Azure Database for PostgreSQL Flexible Server can be configured to be either Zone Aligned, Zone Redundant, or neither. PostgreSQL Server that has a standby server selected in same zone for high availability is considered Zone Aligned. In contrast, PostgreSQL Server that has a standby server selected to be in a different zone for high availability is recognized as Zone Redundant. This policy helps identify and enforce these resilience configurations. | Audit, Deny, Disabled | 1.0.0-preview |
| A Microsoft Entra administrator should be provisioned for PostgreSQL servers | Audit provisioning of a Microsoft Entra administrator for your PostgreSQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.1 |
| Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers | Audit PostgreSQL flexible servers without Advanced Data Security | AuditIfNotExists, Disabled | 1.0.0 |
| Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers | Enable Advanced Threat Protection on your Azure database for PostgreSQL flexible servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists, Disabled | 1.1.0 |
| Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers | Enable Advanced Threat Protection on your non-Basic tier Azure database for PostgreSQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists, Disabled | 1.2.0 |
| Connection throttling should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without Connection throttling enabled. This setting enables temporary connection throttling per IP for too many invalid password login failures. | AuditIfNotExists, Disabled | 1.0.0 |
| Disconnections should be logged for PostgreSQL database servers. | This policy helps audit any PostgreSQL databases in your environment without log_disconnections enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enforce SSL connection should be enabled for PostgreSQL database servers | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Audit, Disabled | 1.0.1 |
| Geo-redundant backup should be enabled for Azure Database for PostgreSQL | Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. | Audit, Disabled | 1.0.1 |
| Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers | Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys | Audit, Deny, Disabled | 1.0.0 |
| Log checkpoints should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_checkpoints setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Log connections should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_connections setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| Log duration should be enabled for PostgreSQL database servers | This policy helps audit any PostgreSQL databases in your environment without log_duration setting enabled. | AuditIfNotExists, Disabled | 1.0.0 |
| PostgreSQL server should use a virtual network service endpoint | Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure Database for PostgreSQL while ensuring the traffic stays within the Azure boundary. This policy provides a way to audit if the Azure Database for PostgreSQL has virtual network service endpoint being used. | AuditIfNotExists, Disabled | 1.0.2 |
| PostgreSQL servers should use customer-managed keys to encrypt data at rest | Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. | AuditIfNotExists, Disabled | 1.0.4 |
| Private endpoint should be enabled for PostgreSQL servers | Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. | AuditIfNotExists, Disabled | 1.0.2 |
| Public network access should be disabled for PostgreSQL flexible servers | Disabling the public network access property improves security by ensuring your Azure Database for PostgreSQL flexible servers can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 3.0.1 |
| Public network access should be disabled for PostgreSQL servers | Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. | Audit, Deny, Disabled | 2.0.1 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for