AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Azure SQL Managed Instances should disable public network access

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Azure SQL Managed Instances should disable public network access

9dfea752-dd46-4766-aed1-c355fa93fb91

Version

1.0.0
Details on versioning

Versioning

Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]

Category

SQL
Microsoft Learn

Description

Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://aka.ms/mi-public-endpoint.

Mode

Indexed

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Deny, Disabled

RBAC role(s)

none

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.Sql/managedInstances/publicDataEndpointEnabled	Microsoft.Sql	managedInstances	properties.publicDataEndpointEnabled	True		False

Rule resource types

IF (1)
Microsoft.Sql/managedInstances

Compliance

The following 4 compliance controls are associated with this Policy definition 'Azure SQL Managed Instances should disable public network access' (9dfea752-dd46-4766-aed1-c355fa93fb91)

Control Domain	Control	Name	MetadataId	Category	Title	Owner	Requirements	Description	Info	Policy#
Azure_Security_Benchmark_v3.0	NS-2	Azure_Security_Benchmark_v3.0_NS-2	Microsoft cloud security benchmark NS-2	Network Security	Secure cloud services with network controls	Shared	Security Principle: Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. Azure Guidance: Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. You should also disable or restrict public network access to services where feasible. For certain services, you also have the option to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service. Implementation and additional context: Understand Azure Private Link: https://docs.microsoft.com/azure/private-link/private-link-overview	n/a	link	40
New_Zealand_ISM	10.8.35.C.01	New_Zealand_ISM_10.8.35.C.01	New_Zealand_ISM_10.8.35.C.01	10. Infrastructure	10.8.35.C.01 Security Architecture		n/a	Security architectures MUST apply the principles of separation and segregation.		31
NL_BIO_Cloud_Theme	U.07.1(2)	NL_BIO_Cloud_Theme_U.07.1(2)	NL_BIO_Cloud_Theme_U.07.1(2)	U.07 Data separation	Isolated		n/a	Permanent isolation of data is realized within a multi-tenant architecture. Patches and adjustments of applications and infrastructure are realized in a controlled manner for all cloud services that the CSC purchases.		57
	U.07.1 - Isolated	U.07.1 - Isolated	404 not found				n/a	n/a		56

Initiatives usage

Initiative DisplayName	Initiative Id	Initiative Category	State	Type
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave	0fbe78a5-1722-4f1b-83a5-89c14151fa60	VirtualEnclaves	Preview	BuiltIn
Microsoft cloud security benchmark	1f3afdf9-d0c9-4c3d-847f-89da613e70a8	Security Center	GA	BuiltIn
New Zealand ISM	4f5b1359-4f8e-4d7c-9733-ea47fcde891e	Regulatory Compliance	GA	BuiltIn
NL BIO Cloud Theme	6ce73208-883e-490f-a2ac-44aac3b3687f	Regulatory Compliance	GA	BuiltIn
NL BIO Cloud Theme V2	d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee	Regulatory Compliance	GA	BuiltIn
Public network access should be disabled for PaaS services	Deny-PublicPaaSEndpoints	Network	GA	ALZ

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2022-07-22 16:34:49	add	9dfea752-dd46-4766-aed1-c355fa93fb91

JSON compare

n/a

JSON

api-version=2021-06-01
EPAC