Merge pull request #2743 from CESANU/docs-editor/release-notes-recommendations-1776330107

prmerger-automator[bot] · web-flow · commit 38403b7ec4f9 · 2026-04-16T09:30:36.000Z
Update release-notes-recommendations-alerts.md
diff --git a/articles/defender-for-cloud/recommendations-reference-data.md b/articles/defender-for-cloud/recommendations-reference-data.md
@@ -1947,6 +1947,30 @@ __How could attackers exploit it or how could it lead to data breaches?__ An att
 
 **Severity**: High
 
+### Private endpoint should be configured for Azure Database for PostgreSQL Servers
+
+**Description**: 
+
+__What is a private endpoint?__ A private endpoint in Azure allows resources to be accessed securely over a private IP address within a virtual network. For Azure Database for PostgreSQL servers, configuring a private endpoint ensures that database traffic does not traverse the public internet.
+
+__Why is it a security concern?__ Without a private endpoint, the server may be exposed to public network access, increasing the risk of unauthorized access, data interception, and denial-of-service attacks.
+
+__How could attackers exploit it or how could it lead to data breaches?__ An attacker could scan public IP ranges to discover exposed servers and attempt brute-force or exploit-based attacks. Public exposure also increases the risk of data exfiltration via compromised clients.
+
+**Severity**: High
+
+### 'Allow access to Azure services' should be disabled for PostgreSQL Servers
+
+**Description**: 
+
+__What is 'Allow access to Azure services'?__ This setting creates a firewall rule that permits all Azure services to connect to the PostgreSQL server. While convenient, it introduces significant risk by allowing connections from any Azure subscription.
+
+__Why is it a security concern?__ Enabling this setting bypasses network isolation controls, potentially exposing the database to unauthorized access from external Azure tenants.
+
+__How could attackers exploit it or how could it lead to data breaches?__ An attacker operating from another Azure subscription could attempt brute-force attacks or exploit vulnerabilities if this rule is enabled.
+
+**Severity**: High
+
 ## Related content
 
 - [Learn about security recommendations](security-policy-concept.md)
diff --git a/articles/defender-for-cloud/release-notes-recommendations-alerts.md b/articles/defender-for-cloud/release-notes-recommendations-alerts.md
@@ -48,7 +48,8 @@ New and updated recommendations, alerts, and incidents are added to the table in
 
 | **Date announced**     | **Type**       | **State**            | **Name**                                                     |
 | ------------ | -------------- | -------------------- | ------------------------------------------------------------ |
-| March 30, 2026 | Alert | Preview | The following alert is now in Preview: <br> * Malicious content detected in uploaded AI model | 
+| April 14, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM:<br/>* Private endpoint should be configured for Azure Database for PostgreSQL Servers <br/>* 'Allow access to Azure services' should be disabled for PostgreSQL Servers |
+| March 30, 2026 | Alert | Preview | The following alert is now in Preview: <br> * Malicious content detected in uploaded AI model |
 | March 29, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM:<br/>* Geo-redundant backups should be enabled for PostgreSQL Servers <br/>* require_secure_transport should be set to "on" for Azure Database for PostgreSQL Servers |
 | March 29, 2026 | Recommendation | Deprecation | Following the announcement from December 3, 2025, The recommendation `Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers` for Defender for SQL Servers on Machines plan, is now deprecated. |
 | March 04, 2026 | Recommendation | Upcoming deprecation | The following grouped container vulnerability recommendations are set for deprecation on April 13, 2026:<br/>**Container recommendations:**<br/>\* [Preview] Containers running in Azure should have vulnerability findings resolved<br/>\* [Preview] Containers running in AWS should have vulnerability findings resolved<br/>\* [Preview] Containers running in GCP should have vulnerability findings resolved<br/>**Container image recommendations:**<br/>\* [Preview] Container images in Azure registry should have vulnerability findings resolved<br/>\* [Preview] Container images in AWS registry should have vulnerability findings resolved<br/>\* [Preview] Container images in GCP registry should have vulnerability findings resolved<br/><br/>These grouped recommendations are being replaced by individual recommendations that provide more granular visibility, better prioritization, and improved governance. Learn more in [Deprecation of preview of container and container images vulnerability recommendations](release-notes.md#deprecation-of-preview-of-container-and-container-images-vulnerability-recommendations). |
