What it is
An Azure Database for PostgreSQL flexible server with network.publicNetworkAccess set to Enabled. The server has a publicly resolvable DNS name and answers connection attempts from the internet on port 5432; server-level firewall rules, which are IP allow-lists with no authentication of their own, are the only network control in front of it.
Why it happens
Flexible servers make you pick a networking mode at creation: public access (allowed IP addresses) or private VNet integration. Public access is the low-friction path, no subnet delegation, no private DNS zone, works from a laptop on day one, so that's what development-phase servers get. And VNet integration cannot be retrofitted: a public-access server can't be converted to VNet-integrated in place, which makes "we'll go private later" feel like a rebuild-and-migrate project, so later never comes.
What's less well known is that the rebuild usually isn't necessary anymore. A public-access server supports private endpoints, and the public endpoint itself can be switched off in place. The trap persists mostly on reputation.
What it costs / blast radius
A public endpoint means any leaked or guessed credential can be exercised from anywhere on the internet, and port 5432 gets scanned constantly. The firewall rules guarding it are static IP ranges: they authenticate nobody, they rot as office and home IPs change, and the convenient "allow public access from any Azure service" rule admits traffic from every Azure customer's egress, not just yours.
The exposure is the whole database, every table, at the mercy of credential strength. (Authored assessment of Azure behavior; actual exposure depends on your firewall rules and credential hygiene.)
See it
resource pg 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = {
name: 'app-pg'
location: location
sku: { name: 'Standard_D2ds_v5', tier: 'GeneralPurpose' }
properties: {
version: '16'
network: {
publicNetworkAccess: 'Enabled' // publicly resolvable, port 5432
}
// ...firewall rules are the only network barrier
}
}resource pg 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = {
name: 'app-pg'
location: location
sku: { name: 'Standard_D2ds_v5', tier: 'GeneralPurpose' }
properties: {
version: '16'
network: {
publicNetworkAccess: 'Disabled' // firewall rules stop applying entirely
}
}
}
resource pgPe 'Microsoft.Network/privateEndpoints@2023-09-01' = {
name: 'app-pg-pe'
location: location
properties: {
subnet: { id: appSubnetId }
privateLinkServiceConnections: [
{
name: 'app-pg-plsc'
properties: {
privateLinkServiceId: pg.id
groupIds: ['postgresqlServer']
}
}
]
}
}How StratoLens helps
StratoLens flags every PostgreSQL flexible server that still answers on a public endpoint, automatically and continuously, across all your subscriptions. The dev-phase server that quietly became production infrastructure surfaces on the first scan, and because StratoLens runs inside your own tenant, the finding never leaves your environment.