Enforce encrypted PostgreSQL connections

March 21, 2025 ยท View on GitHub

SYNOPSIS

Enforce encrypted PostgreSQL connections.

DESCRIPTION

Azure Database for PostgreSQL is configured to only accept encrypted connections by default. When the setting enforce SSL connections is disabled, encrypted and unencrypted connections are permitted. This does not indicate that unencrypted connections are being used.

Unencrypted communication to PostgreSQL server instances could allow disclosure of information to an untrusted party.

RECOMMENDATION

Azure Database for PostgreSQL should be configured to only accept encrypted connections. Unless explicitly required, consider enabling enforce SSL connections.

Also consider using Azure Policy to audit or enforce this configuration.

EXAMPLES

Configure with Azure template

To deploy servers that pass this rule:

  • Set the properties.sslEnforcement property to Enabled.

For example:

{
  "type": "Microsoft.DBforPostgreSQL/servers",
  "apiVersion": "2017-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "createMode": "Default",
    "administratorLogin": "[parameters('localAdministrator')]",
    "administratorLoginPassword": "[parameters('localAdministratorPassword')]",
    "minimalTlsVersion": "TLS1_2",
    "sslEnforcement": "Enabled",
    "publicNetworkAccess": "Disabled",
    "version": "11"
  }
}

Configure with Bicep

To deploy servers that pass this rule:

  • Set the properties.sslEnforcement property to Enabled.

For example:

resource single 'Microsoft.DBforPostgreSQL/servers@2017-12-01' = {
  name: name
  location: location
  properties: {
    createMode: 'Default'
    administratorLogin: localAdministrator
    administratorLoginPassword: localAdministratorPassword
    minimalTlsVersion: 'TLS1_2'
    sslEnforcement: 'Enabled'
    publicNetworkAccess: 'Disabled'
    version: '11'
  }
}

NOTES

This rule is not applicable to PostgreSQL using the flexible server model.