Azure-docs: Video incorrectly states that "Allow Azure Services" only allows access from within the associated subscription

Created on 12 Dec 2019 · 8Comments · Source: MicrosoftDocs/azure-docs

It is verbally stated in the video that access is constrained to "within your own subscription", but not stated in the written documentation above.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: f3102127-3223-8b70-a029-bbc33fea53d6
Version Independent ID: 0bd59bd9-753b-39c9-c773-e8c2a0e086e7
Content: Network Access Controls - Azure SQL Database and SQL Data Warehouse
Content Source: articles/sql-database/sql-database-networkaccess-overview.md
Service: sql-database
Sub-service: security
GitHub Login: @rohitnayakmsft
Microsoft Alias: rohitna

Pri2 assigned-to-author product-question securitsubsvc sql-databassvc triaged

Source

rbeauchamp

All 8 comments

@rbeauchamp Thank you for reaching out and providing feedback.

At 7:33 during the video, it is said that “Allow Access to Azure services” restricts traffic to resources within the subscription - which is incorrect.

Setting "Allow access to Azure services" button on the Portal (Firewall settings page) to ON shall allow traffic to/from resources ( e.g. Azure VM) or PaaS services( e.g. Web App) hosted inside Azure - within same subscription or from another subscription.

KalyanChanumolu-MSFT on 12 Dec 2019

@KalyanChanumolu-MSFT Thank you for your response and clarification.

Oh, wow. I wasn't clear on that, and I'm sure that many Azure tenants/customers are now misinformed because of the video. This poses a significant security risk because of the cross-tenant attack vector, and is especially important to clarify since we are discussing SQL Database, where mission-critical data can be stored.

Please add your statement to this documentation (and to documentation where this setting exists for other Azure resources) and please remove/update the video.

Setting "Allow access to Azure services" button on the Portal (Firewall settings page) to ON shall allow traffic to/from resources ( e.g. Azure VM) or PaaS services( e.g. Web App) hosted inside Azure - within same subscription and tenant or from another subscription and tenant.

rbeauchamp on 12 Dec 2019

@rbeauchamp yes we are working internally to get that added to the documentation.

KalyanChanumolu-MSFT on 12 Dec 2019

👍1

@KalyanChanumolu-MSFT To be even more clear: setting "Allow access to Azure services" button on the Portal (Firewall settings page) to ON only allows traffic from within the same tenant, correct?

Or is that also "- within the same tenant or from another tenant"

rbeauchamp on 12 Dec 2019

@rbeauchamp The setting doesn't limit access to Azure resources within the tenant.
It is open to resources from other tenants as well.

KalyanChanumolu-MSFT on 13 Dec 2019

This is being assigned to the content author to evaluate and update as appropriate.

KalyanChanumolu-MSFT on 13 Dec 2019

We have received this feedback around the video earlier as well and hence docs have been updated with the following text:-
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-networkaccess-overview#allow-azure-services
When set to ON Azure SQL Server allows communications from all resources inside the Azure boundary, that may or may not be part of your subscription.

In many cases, the ON setting is more permissive than what most customers want.They may want to set this setting to OFF and replace it with more restrictive IP firewall rules or Virtual Network firewall rules. Doing so affects the following features: