What it is
An Azure SQL logical server whose public network access is set to Enabled rather than Disabled. Every database under that server is served from the same *.database.windows.net endpoint, so when the server is public that endpoint resolves and accepts connections from the internet, guarded only by the server firewall and login authentication.
Why it happens
Azure exposes this as a single enum on the SQL server (publicNetworkAccess: Enabled/Disabled). Some IaC tools surface it as a boolean (Terraform's azurerm calls it publicNetworkAccessEnabled), but Azure's own setting is the enum. A private endpoint sitting alongside the server does not close the public path, because public access is an independent switch.
The flip is easy to make and easy to miss. A developer needs to connect from a laptop, a migration tool wants a direct route, or a firewall rule like "Allow Azure services" quietly widens reachability. Someone toggles public access on, the connection works, and the toggle never gets reverted. Nothing in Azure flags Enabled as wrong, so the server keeps serving as if nothing changed.
What it costs / blast radius
The blast radius is the whole logical server: every database it hosts is now reachable from the internet on the SQL endpoint. Public reachability does not authenticate anyone, but it turns the server into a target for credential-stuffing, brute force, and exploitation of any weak login or overly broad firewall rule (for example a 0.0.0.0 "allow all" rule). The database moves from "only reachable from your network" to "reachable from anywhere, protected only by passwords and firewall entries." This is a control-plane exposure assessment based on documented Azure behavior, not a measured intrusion rate.
See it
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
name: 'corp-sql-prod'
location: location
properties: {
administratorLogin: 'sqladmin'
publicNetworkAccess: 'Enabled' // endpoint reachable from the public internet
}
}resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
name: 'corp-sql-prod'
location: location
properties: {
administratorLogin: 'sqladmin'
publicNetworkAccess: 'Disabled' // only private endpoints reach the server
}
}How StratoLens helps
StratoLens tracks the publicNetworkAccess setting on every SQL server across every subscription and flags the moment it drifts to Enabled with the change recorded in history. You don't have to run the audit or remember which servers were supposed to be private; the check runs continuously inside your own tenant.