Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Define Firewall Rules for Azure Cosmos DB Accounts

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CosmosDB-005

Ensure that Microsoft Azure Cosmos DB accounts are configured to use IP firewall rules in order to limit access to trusted networks and/or IP addresses only.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The network access to your Azure Cosmos DB accounts should be granted to specific Azure virtual networks, to other Azure services or sources within Microsoft Azure, or to trusted IP addresses/IP address ranges using firewall rules. Once the IP firewall rules are properly configured, only clients and applications from allowed networks and/or IPs can access your Azure Cosmos DB account resources. IP firewall rules should prevent traffic from unauthorized sources.

Audit

To determine if IP firewall rules are configured for your Azure Cosmos DB accounts, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and check the Public network access setting to determine the level of network access configured for the selected resource. If Public network access is set to All networks, all networks, including the public Internet, can access the selected Azure Cosmos DB account and the Audit process end here. If Public network access is set to Disabled, no public traffic will be able to access the selected resource and the Audit process end here. If Public network access is set to Selected networks, continue the Audit process with the next step.

08 In the Firewall section, check for any IP firewall rules configured for your Cosmos DB account, listed under IPs (Single IPv4 or CIDR range). If no IP firewall rules are listed under IPs (Single IPv4 or CIDR range), there is no IP access control policy defined for the selected Azure Cosmos DB account. As a result, the Cosmos DB account network access configuration is not compliant.

09 Repeat steps no. 5 – 8 for each Azure Cosmos DB account available in the selected subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription: 

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the name of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to describe the IP firewall rules configured for the selected DB account: 

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query '{"ipRules":ipRules}'

07 The command output should return the requested IP firewall rules: 

{
	"ipRules": []
}

If the cosmosdb show command output returns one or more IP rules containing the Azure Portal middleware IP addresses listed in this section, there are no IP firewall rules defined for your Azure Cosmos DB account. If the command output returns null or [] for the "ipRules" configuration attribute, there is no IP access control policy defined for the selected Azure Cosmos DB account. As a result, the Cosmos DB account network access configuration is not compliant.

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To implement an IP access control policy and restrict your Azure Cosmos DB account network access to trusted IP addresses only, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and perform the following actions:

  1. Ensure that Public network access is set to Selected networks
  2. For Firewall, use the IPs (Single IPv4 or CIDR range) configuration box to add IPv4 addresses or IPv4 address ranges in order to allow trusted access from the Internet or from your on-premises networks.
  3. (Optional) To add your current public IPv4 address, choose + Add your current IP (\).
  4. (Optional) To allow access from within public Microsoft Azure datacenters only, choose + Accept connections from within public Azure datacenters. This will allow other Azure services or sources within Microsoft Azure to access your Cosmos DB account.
  5. (Optional) If the Azure Portal middleware IP addresses are not listed in the Firewall section, choose + Add Azure Portal Middleware IPs to add the required IP addresses to your firewall rules. This will allow network access from the Azure portal.
  6. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To allow network access from trusted IP addresses/IP address ranges only, run cosmosdb update command (Windows/macOS/Linux) to add a new firewall rule to your Cosmos DB account network configuration. As an example, the following configuration grants access to a trusted on-premises network identified by the IPv4 range 10.20.30.0/24: 

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--ip-range-filter 10.20.30.0/24
	--query 'ipRules'

05 The command output should return the list of IP addresses/IP ranges allowed to access the selected Cosmos DB account: 

[
	{
		"ipAddressOrRange": "10.20.30.0/24"
	}
]

06 Repeat steps no. 4 and 5 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created within your Microsoft Azure cloud account.

References

Publication date May 28, 2025

Related CosmosDB rules