Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0071

A PostgreSQL flexible server on a public endpoint leaves IP firewall rules as the only barrier to your data

The Postgres server answers on a publicly resolvable endpoint. Firewall rules, plain IP allow-lists with no identity behind them, are the only thing between your data and the internet.

Footgun ID
AZF-0071 (Azure Footgun No. 71)
Azure service
Azure Database for PostgreSQL
Resource type
Microsoft.DBforPostgreSQL/flexibleServers
Updated
July 9, 2026

What it is

An Azure Database for PostgreSQL flexible server with network.publicNetworkAccess set to Enabled. The server has a publicly resolvable DNS name and answers connection attempts from the internet on port 5432; server-level firewall rules, which are IP allow-lists with no authentication of their own, are the only network control in front of it.

Impact (security)
The database answers the internet on port 5432; identity-free IP allow-list rules are the only network barrier
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Flexible servers make you pick a networking mode at creation: public access (allowed IP addresses) or private VNet integration. Public access is the low-friction path, no subnet delegation, no private DNS zone, works from a laptop on day one, so that's what development-phase servers get. And VNet integration cannot be retrofitted: a public-access server can't be converted to VNet-integrated in place, which makes "we'll go private later" feel like a rebuild-and-migrate project, so later never comes.

What's less well known is that the rebuild usually isn't necessary anymore. A public-access server supports private endpoints, and the public endpoint itself can be switched off in place. The trap persists mostly on reputation.

What it costs / blast radius

A public endpoint means any leaked or guessed credential can be exercised from anywhere on the internet, and port 5432 gets scanned constantly. The firewall rules guarding it are static IP ranges: they authenticate nobody, they rot as office and home IPs change, and the convenient "allow public access from any Azure service" rule admits traffic from every Azure customer's egress, not just yours.

The exposure is the whole database, every table, at the mercy of credential strength. (Authored assessment of Azure behavior; actual exposure depends on your firewall rules and credential hygiene.)

See it

Footgun: the server answers on a public endpoint, guarded only by firewall rules
resource pg 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = {
  name: 'app-pg'
  location: location
  sku: { name: 'Standard_D2ds_v5', tier: 'GeneralPurpose' }
  properties: {
    version: '16'
    network: {
      publicNetworkAccess: 'Enabled'   // publicly resolvable, port 5432
    }
    // ...firewall rules are the only network barrier
  }
}
Fix: disable the public endpoint in place and connect via a private endpoint
resource pg 'Microsoft.DBforPostgreSQL/flexibleServers@2024-08-01' = {
  name: 'app-pg'
  location: location
  sku: { name: 'Standard_D2ds_v5', tier: 'GeneralPurpose' }
  properties: {
    version: '16'
    network: {
      publicNetworkAccess: 'Disabled'   // firewall rules stop applying entirely
    }
  }
}

resource pgPe 'Microsoft.Network/privateEndpoints@2023-09-01' = {
  name: 'app-pg-pe'
  location: location
  properties: {
    subnet: { id: appSubnetId }
    privateLinkServiceConnections: [
      {
        name: 'app-pg-plsc'
        properties: {
          privateLinkServiceId: pg.id
          groupIds: ['postgresqlServer']
        }
      }
    ]
  }
}

How StratoLens helps

StratoLens flags every PostgreSQL flexible server that still answers on a public endpoint, automatically and continuously, across all your subscriptions. The dev-phase server that quietly became production infrastructure surfaces on the first scan, and because StratoLens runs inside your own tenant, the finding never leaves your environment.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.