Define Firewall Rules for Azure Cosmos DB Accounts

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and check the Public network access setting to determine the level of network access configured for the selected resource. If Public network access is set to All networks, all networks, including the public Internet, can access the selected Azure Cosmos DB account and the Audit process end here. If Public network access is set to Disabled, no public traffic will be able to access the selected resource and the Audit process end here. If Public network access is set to Selected networks, continue the Audit process with the next step.

08 In the Firewall section, check for any IP firewall rules configured for your Cosmos DB account, listed under IPs (Single IPv4 or CIDR range). If no IP firewall rules are listed under IPs (Single IPv4 or CIDR range), there is no IP access control policy defined for the selected Azure Cosmos DB account. As a result, the Cosmos DB account network access configuration is not compliant.

09 Repeat steps no. 5 – 8 for each Azure Cosmos DB account available in the selected subscription.

10 Repeat steps no. 3 – 9 for each Azure subscription created within your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cosmosdb list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Cosmos DB account available in the selected subscription:

az cosmosdb list
	--query '[*].id'

05 The command output should return the requested Azure Cosmos DB account IDs:

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-prod-dba-account"
]

06 Run cosmosdb show command (Windows/macOS/Linux) with the name of the Azure Cosmos DB account that you want to examine as the identifier parameter and custom output filters to describe the IP firewall rules configured for the selected DB account:

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--query '{"ipRules":ipRules}'

07 The command output should return the requested IP firewall rules:

{
	"ipRules": []
}

08 Repeat steps no. 6 and 7 for each Azure Cosmos DB account available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cosmos DB account for Value, then choose Apply to list the Azure Cosmos DB accounts available in the selected subscription.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the resource navigation panel, under Settings, select Networking to access the networking configuration settings available for the selected DB account.

07 Select the Public access tab and perform the following actions:

1. Ensure that Public network access is set to Selected networks
2. For Firewall, use the IPs (Single IPv4 or CIDR range) configuration box to add IPv4 addresses or IPv4 address ranges in order to allow trusted access from the Internet or from your on-premises networks.
3. (Optional) To add your current public IPv4 address, choose + Add your current IP (\).
4. (Optional) To allow access from within public Microsoft Azure datacenters only, choose + Accept connections from within public Azure datacenters. This will allow other Azure services or sources within Microsoft Azure to access your Cosmos DB account.
5. (Optional) If the Azure Portal middleware IP addresses are not listed in the Firewall section, choose + Add Azure Portal Middleware IPs to add the required IP addresses to your firewall rules. This will allow network access from the Azure portal.
6. Choose Save to apply the configuration changes.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account that you want to configure, available in the selected subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created within your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To allow network access from trusted IP addresses/IP address ranges only, run cosmosdb update command (Windows/macOS/Linux) to add a new firewall rule to your Cosmos DB account network configuration. As an example, the following configuration grants access to a trusted on-premises network identified by the IPv4 range 10.20.30.0/24:

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-cosmos-database"
	--ip-range-filter 10.20.30.0/24
	--query 'ipRules'

05 The command output should return the list of IP addresses/IP ranges allowed to access the selected Cosmos DB account:

[
	{
		"ipAddressOrRange": "10.20.30.0/24"
	}
]

06 Repeat steps no. 4 and 5 for each Azure Cosmos DB account that you want to configure, available within the selected subscription.

07 Repeat steps no. 3 – 6 for each Azure subscription created within your Microsoft Azure cloud account.