Skip to main content
Back to the Azure Footguns Database
SecurityCriticalCommonAZF-0027

An Azure SQL server with public network access enabled exposes the database endpoint to the internet

Enabling public network access on an Azure SQL logical server makes its endpoint resolvable and reachable from the internet, leaving login credentials and firewall rules as the only defense.

Footgun ID
AZF-0027 (Azure Footgun No. 27)
Azure service
Azure SQL Database
Resource type
Microsoft.Sql/servers
Updated
July 1, 2026

What it is

An Azure SQL logical server whose public network access is set to Enabled rather than Disabled. Every database under that server is served from the same *.database.windows.net endpoint, so when the server is public that endpoint resolves and accepts connections from the internet, guarded only by the server firewall and login authentication.

Impact (security)
SQL server endpoint reachable from the public internet on port 1433
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Azure exposes this as a single enum on the SQL server (publicNetworkAccess: Enabled/Disabled). Some IaC tools surface it as a boolean (Terraform's azurerm calls it publicNetworkAccessEnabled), but Azure's own setting is the enum. A private endpoint sitting alongside the server does not close the public path, because public access is an independent switch.

The flip is easy to make and easy to miss. A developer needs to connect from a laptop, a migration tool wants a direct route, or a firewall rule like "Allow Azure services" quietly widens reachability. Someone toggles public access on, the connection works, and the toggle never gets reverted. Nothing in Azure flags Enabled as wrong, so the server keeps serving as if nothing changed.

What it costs / blast radius

The blast radius is the whole logical server: every database it hosts is now reachable from the internet on the SQL endpoint. Public reachability does not authenticate anyone, but it turns the server into a target for credential-stuffing, brute force, and exploitation of any weak login or overly broad firewall rule (for example a 0.0.0.0 "allow all" rule). The database moves from "only reachable from your network" to "reachable from anywhere, protected only by passwords and firewall entries." This is a control-plane exposure assessment based on documented Azure behavior, not a measured intrusion rate.

See it

Footgun: SQL server public network access enabled (endpoint on the internet)
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
  name: 'corp-sql-prod'
  location: location
  properties: {
    administratorLogin: 'sqladmin'
    publicNetworkAccess: 'Enabled'   // endpoint reachable from the public internet
  }
}
Fix: disable public network access and reach the server over a private endpoint
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
  name: 'corp-sql-prod'
  location: location
  properties: {
    administratorLogin: 'sqladmin'
    publicNetworkAccess: 'Disabled'  // only private endpoints reach the server
  }
}

How StratoLens helps

StratoLens tracks the publicNetworkAccess setting on every SQL server across every subscription and flags the moment it drifts to Enabled with the change recorded in history. You don't have to run the audit or remember which servers were supposed to be private; the check runs continuously inside your own tenant.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.