When Azure SQL is provisioned, IP firewall rules shall be created to allow a whitelist of approved NAT IP addresses and deny all other traffic.

003-1005.json

{
  "properties": {
    "displayName": "SQL Firewall rules shall contain approved IP addresses",
    "policyType": "Custom",
    "mode": "All",
    "description": "When Azure SQL is provisioned, IP firewall rules shall be created to allow a whitelist of approved NAT IP addresses and deny all other traffic. ",
    "metadata": {
        "displayName": "Policy Effect",
        "description": "The Policy Effect associated with this Policy Definition"
      },
    "parameters": {
      "allowedStartIpAddresses": {
        "type": "Array",
        "metadata": {
          "displayName": "Start IP Addresses Allowed",
          "description": "Array of approved starting IP addresses"
        }
      },
      "allowedEndIpAddresses": {
        "type": "Array",
        "metadata": {
          "displayName": "End IP Addresses Allowed",
          "description": ""
        }
      },
      "Effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The Policy Effect associated with this Policy Definition"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Sql/servers/firewallRules"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
                "notin": "[parameters('allowedStartIpAddresses')]"
              },
              {
                "field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
                "notin": "[parameters('allowedEndIpAddresses')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "[parameters('Effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Management/managementGroups/xyz/providers/Microsoft.Authorization/policyDefinitions/5faee333-a851-4566-b0b4-b5756821dadd",
  "type": "Microsoft.Authorization/policyDefinitions"
}

003-ZZZZ.json

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "equals": "Microsoft.Sql/servers/firewallRules",
          "field": "type"
        }
      ]
    },
    "then": {
      "details": {
        "type": "Microsoft.Sql/servers/firewallRules",
        "existenceCondition": {
          "count": {
            "field": "Microsoft.Sql/servers/firewallRules",
            "where": {
              "allOf": [
                {
                  "field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
                  "in": "[parameters('allowedStartIpAddresses')]"
                },
                {
                  "field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
                  "in": "[parameters('allowedEndIpAddresses')]"
                }
              ]
            }
          },
          "greater": 0
        }
      },
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "allowedStartIpAddresses": {
      "type": "Array",
      "metadata": {
        "displayName": "Start IP Addresses Allowed",
        "description": "Array of approved starting IP addresses"
      }
    },
    "allowedEndIpAddresses": {
      "type": "Array",
      "metadata": {
        "displayName": "End IP Addresses Allowed",
        "description": "Array of approved ending IP addresses"
      }
    },
    "Effect": {
      "type": "String",
      "metadata": {
        "displayName": "Policy Effect",
        "description": "The Policy Effect associated with this Policy Definition"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    }
  }
}