![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 46%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Azure Database for PostgreSQL
An Azure managed PostgreSQL database service for app development and deployment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 49%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Microsoft Defender for Cloud for Azure Database for PostgreSQL detects and alerts on brute force patterns, including those originating from Microsoft-owned IP ranges.
When repeated failed logins or credential guessing attempts are detected against Azure Database for PostgreSQL, Defender raises alerts such as:
- Suspected brute force attack
- Suspected brute force attack using a valid user
- Suspected successful brute force attack
These alerts can appear even if the source IP is a Microsoft/Azure address (including IPv6) because Defender analyzes behavior, not ownership of the IP. A Microsoft or Azure IP can still be the origin of:
- Legitimate but misconfigured or noisy clients (for example, an app or service repeatedly retrying with bad credentials), or
- Malicious/unauthorized traffic traversing Azure infrastructure.
Recommended actions based on the provided context:
- Review the Defender alert details
- In the Azure portal, open Microsoft Defender for Cloud → Security alerts and locate the PostgreSQL brute force alert.
- Open the specific alert to see details such as database name, server name, application name, event time, and recommended actions.
- Verify whether the traffic is expected
- Check if any Azure services, applications, or automation in the environment use that IPv6 address or subnet to connect to the PostgreSQL server.
- If the source is a known application, review its connection string and credentials to ensure they are correct and not causing repeated failed logins.
- Harden network access
- Configure network controls so only required clients can reach the PostgreSQL server:
- Use private endpoints for Azure Database for PostgreSQL so traffic does not traverse the public internet.
- Disable broad rules such as “Allow access to Azure services” to avoid accepting connections from any Azure subscription.
- Configure network controls so only required clients can reach the PostgreSQL server:
- Enforce secure connections
- Ensure
require_secure_transportis set to on so all connections use SSL/TLS, reducing risk of credential interception.
- Ensure
- Enable logging and threat detection best practices
- Enable diagnostic logging and audit logging (for example, via
pgaudit) to capture detailed login attempts and correlate them with Defender alerts. - Use Microsoft Defender for Open-Source Relational Databases to continue receiving advanced threat protection and recommendations.
- Enable diagnostic logging and audit logging (for example, via
- Respond to alerts systematically
- Use the Defender for Cloud security alerts page to monitor all active threats.
- Follow the recommended actions in each alert to investigate and mitigate, and, if needed, continue investigations with tools like Microsoft Sentinel.
If the IPv6 address is not recognized as part of the environment and continues to generate brute force alerts, tighten firewall rules and network access so only explicitly allowed IPs or private endpoints can connect.
References: