Ensure that Microsoft Azure Cosmos DB accounts are configured to use IP firewall rules in order to limit access to trusted networks and/or IP addresses only.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The network access to your Azure Cosmos DB accounts should be granted to specific Azure virtual networks, to other Azure services or sources within Microsoft Azure, or to trusted IP addresses/IP address ranges using firewall rules. Once the IP firewall rules are properly configured, only clients and applications from allowed networks and/or IPs can access your Azure Cosmos DB account resources. IP firewall rules should prevent traffic from unauthorized sources.
Audit
To determine if IP firewall rules are configured for your Azure Cosmos DB accounts, perform the following operations:
Remediation / Resolution
To implement an IP access control policy and restrict your Azure Cosmos DB account network access to trusted IP addresses only, perform the following operations:
References
- Azure Official Documentation
- Configure IP firewall in Azure Cosmos DB
- Configure access to Azure Cosmos DB from virtual networks (VNet)
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az cosmosdb list
- az cosmosdb show
- az cosmosdb update