Can somebody hack the Azure SQL database from other Azure subscription ?

František Langer 1 Reputation point
2020-06-24T07:00:35.78+00:00

Hello everyone,

I have a question about settings of our Azure SQL database.

We are using default settings.
Allow Azure Services and resources to access this server = YES
And we also have defined some IP addresses, which can connect to the database.

My question is, if we have allow azure services and resources to access this server = yes; if there is possibility, that someone who stole/hack password login to SQL database, should access to this database via some Azure vPC, or Azure APP.

For standard users (onprem machines), there are IP ranges, but if somebody try to connect via some Azure service from another subcription, is it possible to connect, or he cant connect, because isnt defined in IP adress range, and only services from same subscription could connect to this SQL.

There are 3 potential situations:
app/vPC from same subscription - is it possible to hack SQL ?
app/vPC from another subscription, but same tenant - is it possible to hack SQL ?
app/vPC from another subscription and another tenant - is it possible to hack SQL ?

Thank you for clarify it.

Azure SQL Database
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
599 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ronen Ariely 15,101 Reputation points
    2020-06-24T18:51:27.533+00:00

    Good day František Langer - @frantieklanger-2623

    The short answer is: Yes

    If you set "Allow Azure Services and resources to access this server" to ON, then anyone from Azure, including connections from the subscriptions of other customers can connect the server (assuming they have the login information).

    This is well documented here:

    https://video2.skills-academy.com/en-us/azure/azure-sql/database/firewall-configure#connections-from-inside-azure

    0 comments