Although many steps are automated for us, this doesn't mean MySQL is production-ready. For instance, the network settings for the MySQL server has the following AllowAll 0.0.0.0 rule entry in Connection security:

This rule allows a connection to the database from any IP address. As you may have already guessed, this is a serious security hole and is the cause of many data breaches. The good news is that this rule is not required when using AKS. You can add the AKS VNet to the VNET Rules section and delete the AllowAll 0.0.0.0 rule, as shown in the following screenshot:

We can reduce the attack surface tremendously by performing this simple change.