Skip to main content

More Info:

Ensure that “connection_throttling” server parameter is enabled for all PostgreSQL database servers provisioned within your Microsoft Azure cloud account. The “connection_throttling” parameter enables temporary connection throttling per IP address for too many invalid login failures.

Risk Level

Medium

Address

Security

Compliance Standards

CISAZURE, CBP, SOC2, NISTCSF, PCIDSS

Triage and Remediation

  • Remediation

Remediation

Using Console

To enable “CONNECTION_THROTTLING” parameter for PostgreSQL Servers in Azure using Azure Console, please follow the below steps:Step 1: Login to the Azure Portal (https://portal.azure.com/).Step 2: Navigate to the Azure Database for PostgreSQL Server that you want to configure.Step 3: Click on the “Settings” option in the left-hand menu.Step 4: Under the “Settings” menu, click on the “Configuration” option.Step 5: In the “Configuration” menu, click on the “Add parameter” button.Step 6: In the “Add parameter” window, enter “CONNECTION_THROTTLING” in the “Parameter name” field.Step 7: In the “Value” field, enter the desired value for the parameter. For example, “1” to enable the parameter.Step 8: Click on the “OK” button to save the parameter.Step 9: Restart the PostgreSQL server for the changes to take effect.After following these steps, “CONNECTION_THROTTLING” parameter will be enabled for the PostgreSQL server in Azure.

To enable “CONNECTION_THROTTLING” parameter for PostgreSQL Servers on Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI on your local machine or use the Azure Cloud Shell.
  2. Login to your Azure account using the command: az login.
  3. Select the subscription in which your PostgreSQL server is present using the command: az account set --subscription <subscription_id>.
  4. Get the resource ID of the PostgreSQL server by running the following command: az postgres server show --resource-group <resource_group_name> --name <server_name> --query id --output tsv.
  5. Set the “CONNECTION_THROTTLING” parameter to “on” using the command: az postgres server configuration set --resource-group <resource_group_name> --server-name <server_name> --name "connection_throttling" --value "on".
  6. Verify that the parameter has been set to “on” by running the command: az postgres server configuration show --resource-group <resource_group_name> --server-name <server_name> --name "connection_throttling".
Note: Replace <subscription_id>, <resource_group_name>, and <server_name> with your actual values.
To remediate the misconfiguration “Enable CONNECTION_THROTTLING Parameter for PostgreSQL Servers” in Azure using Python, you can follow the below steps:
  1. Import the required modules:
from azure.identity import DefaultAzureCredential
from azure.mgmt.postgresql import PostgreSQLManagementClient
from azure.mgmt.postgresql.models import Configuration, ConfigurationValue
  1. Authenticate to Azure using DefaultAzureCredential:
credential = DefaultAzureCredential()
  1. Create a PostgreSQLManagementClient object:
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
server_name = '<server_name>'

client = PostgreSQLManagementClient(credential, subscription_id)
  1. Get the current configuration of the PostgreSQL server:
current_configuration = client.configurations.list_by_server(resource_group_name, server_name)
  1. Check if the “CONNECTION_THROTTLING” parameter is already enabled:
is_connection_throttling_enabled = False

for configuration in current_configuration:
    if configuration.name == "CONNECTION_THROTTLING":
        is_connection_throttling_enabled = True
        break
  1. If the “CONNECTION_THROTTLING” parameter is not enabled, set it to “ON” and update the configuration:
if not is_connection_throttling_enabled:
    new_configuration = Configuration(name="CONNECTION_THROTTLING",
                                       value=ConfigurationValue(default_value="on",
                                                                source="system-default"))
    client.configurations.create_or_update(resource_group_name, server_name, "CONNECTION_THROTTLING", new_configuration)
  1. Verify that the parameter has been enabled by checking the updated configuration:
updated_configuration = client.configurations.list_by_server(resource_group_name, server_name)

for configuration in updated_configuration:
    if configuration.name == "CONNECTION_THROTTLING":
        print("CONNECTION_THROTTLING parameter is now enabled")
With these steps, you should be able to remediate the misconfiguration “Enable CONNECTION_THROTTLING Parameter for PostgreSQL Servers” in Azure using Python.
I