Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
57 lines (38 sloc) 3.27 KB

Azure Publicly Accessible SQL Managed Instances

What it does

This policy checks all Azure SQL Managed instances and reports on any that are publicly accessible. When such an instance is detected, the user can choose to disable public data endpoint or delete it. For deleting the user needs to enable 'delete action' option as mentioned in "To enable delete action" section below.


  • Azure Service Principal (AKA Azure Active Directory Application) with the appropriate permissions to manage resources in the target subscription
  • The following RightScale Credentials

To enable delete action

Perform below steps to enable delete action.

Required RightScale Roles

  • policy_designer
  • policy_manager
  • policy_publisher


  1. Follow steps to Create an Azure Active Directory Application
  2. Grant the Azure AD Application access to the necessary subscription(s)
  3. Retrieve the Application ID & Authentication Key
  4. Create RightScale Credentials with values that match the Application ID (Credential name: AZURE_APPLICATION_ID) & Authentication Key (Credential name: AZURE_APPLICATION_KEY)
  5. Retrieve your Tenant ID

Functional Details

When a publicly accessible Azure SQL Managed Instance is detected, an email action is triggered automatically to notify the specified users of the incident. Users then have multiple actions that they are able to take after approval:

  • delete - deletes the Azure SQL managed instance
  • Note: by default delete action has been disabled, the user can follow the steps mentioned in "To enable delete action" section above to enable delete action.
  • disable public data endpoint - modifies the configuration of virtual network of the particular SQL managed instance that allows public accessibility

Input Parameters

This policy has the following input parameters required when launching the policy.

  • Email addresses to notify - Email addresses of the recipients you wish to notify when new incidents are created
  • Exclusion Tag Key - Azure SQL Managed instance tag to ignore instance that are with public data endpoint enabled. Only supply the tag key. The policy assumes that the tag value is irrelevant.
  • Azure AD Tenant ID - the Azure AD Tenant ID used for the Azure API Authentication
  • Azure Subscription ID - the Azure Subscription ID used for the Azure API Authentication

Supported Clouds

  • Azure Resource Manager


This Policy Template does not incur any cloud costs.

You can’t perform that action at this time.