Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft or disruption.

Depending on the component, inbound access from the Internet can be enabled via:

• a boolean value that explicitly allows access to the public network.
• the assignment of a public IP address.
• database firewall rules that allow public IP ranges.

Deciding to allow public access may happen for various reasons such as for quick maintenance, time saving, or by accident.

This decision increases the likelihood of attacks on the organization, such as:

• data breaches.
• intrusions into the infrastructure to permanently steal from it.
• and various malicious traffic, such as DDoS attacks.

Ask Yourself Whether

This cloud resource:

• should be publicly accessible to any Internet user.
• requires inbound traffic from the Internet to function properly.

There is a risk if you answered no to any of those questions.

Recommended Secure Coding Practices

Avoid publishing cloud services on the Internet unless they are intended to be publicly accessible, such as customer portals or e-commerce sites.

Use private networks (and associated private IP addresses) and VPC peering or other secure communication tunnels to communicate with other cloud components.

The goal is to prevent the component from intercepting traffic coming in via the public IP address. If the cloud resource does not support the absence of a public IP address, assign a public IP address to it, but do not create listeners for the public IP address.

Sensitive Code Example

Using publicNetworkAccess to control access to resources:

resource exampleSite 'Microsoft.Web/sites@2020-12-01' = {
  name: 'example-site'
  properties: {
    publicNetworkAccess: 'Enabled'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-12-01",
      "name": "example-site",
      "properties": {
        "siteConfig": {
          "publicNetworkAccess": "Enabled"
        }
      }
    }
  ]
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-12-01",
      "name": "example",
      "resources": [
        {
          "type": "config",
          "apiVersion": "2020-12-01",
          "name": "example-config",
          "properties": {
            "publicNetworkAccess": "Enabled"
          }
        }
      ]
    }
  ]
}

Using IP address ranges to control access to resources:

resource exampleFirewall 'Microsoft.Sql/servers/firewallRules@2014-04-01' = {
  name: 'example-firewall'
  properties: {
    startIpAddress: '0.0.0.0'
    endIpAddress: '255.255.255.255'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Sql/servers/firewallRules",
      "apiVersion": "2014-04-01",
      "name": "example-firewall",
      "properties": {
        "startIpAddress": "0.0.0.0",
        "endIpAddress": "255.255.255.255"
      }
    }
  ]
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2014-04-01",
      "name": "example-database",
      "resources": [
        {
          "type": "firewallRules",
          "apiVersion": "2014-04-01",
          "name": "example-firewall",
          "properties": {
            "startIpAddress": "0.0.0.0",
            "endIpAddress": "255.255.255.255"
          }
        }
      ]
    }
  ]
}

Compliant Solution

Using publicNetworkAccess to control access to resources:

resource exampleSite 'Microsoft.Web/sites@2020-12-01' = {
  name: 'example-site'
  properties: {
    publicNetworkAccess: 'Disabled'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-12-01",
      "name": "example-site",
      "properties": {
        "siteConfig": {
          "publicNetworkAccess": "Disabled"
        }
      }
    }
  ]
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-12-01",
      "name": "example-site",
      "resources": [
        {
          "type": "config",
          "apiVersion": "2020-12-01",
          "name": "example-config",
          "properties": {
            "publicNetworkAccess": "Disabled"
          }
        }
      ]
    }
  ]
}

Using IP address ranges to control access to resources:

resource exampleFirewall 'Microsoft.Sql/servers/firewallRules@2014-04-01' = {
  name: 'example-firewall'
  properties: {
    startIpAddress: '192.168.0.0'
    endIpAddress: '192.168.255.255'
  }
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Sql/servers/firewallRules",
      "apiVersion": "2014-04-01",
      "name": "example-firewall",
      "properties": {
        "startIpAddress": "192.168.0.0",
        "endIpAddress": "192.168.255.255"
      }
    }
  ]
}

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2014-04-01",
      "name": "example-database",
      "resources": [
        {
          "type": "firewallRules",
          "apiVersion": "2014-04-01",
          "name": "example-firewall",
          "properties": {
            "startIpAddress": "192.168.0.0",
            "endIpAddress": "192.168.255.255"
          }
        }
      ]
    }
  ]
}

See

• AWS Documentation - Amazon EC2 instance IP addressing
• AWS Documentation - Public and private replication instances
• AWS Documentation - VPC Peering
• CWE - CWE-284 - Improper Access Control
• CWE - CWE-668 - Exposure of Resource to Wrong Sphere
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.