Ensure that your Microsoft Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
The access to your Azure Cosmos DB accounts should be granted to specific Azure Virtual Networks (VNets) – which allow a secure network boundary for specific applications, or to public IP addresses/IP address ranges – which can enable connections from trusted Internet services and on-premises networks. Once the firewall rules are properly configured, only clients and applications from allowed networks and/or IPs can access your Cosmos DB account resources.
Note: Making changes to the network firewall rules can impact your applications' ability to connect to the Cosmos DB account. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you configure the firewall default rule to deny access.
To determine if the default network access (i.e. all access) is restricted for your Azure Cosmos DB accounts, perform the following actions:
Remediation / Resolution
To restrict default network access (i.e. public access) to your Microsoft Azure Cosmos DB account, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Restrict Default Network Access for Azure Cosmos DB Accounts
Risk level: Medium