Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Default Network Access for Azure Cosmos DB Accounts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CosmosDB-003

Ensure that your Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos DB accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The access to your Azure Cosmos DB accounts should be granted to specific Azure Virtual Networks (VNets), to trusted IP addresses/IP address ranges, or to other Azure services or sources within Microsoft Azure. Once the firewall rules are properly configured, only clients and applications from allowed networks and/or IPs can access your Cosmos DB account resources.

Note: Making changes to the network firewall rules can impact your applications' ability to connect to the Cosmos DB account. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you configure the firewall default rule to deny access.


Audit

To determine if the default network access (public access) is restricted for your Azure Cosmos DB accounts, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to examine.

04 From the Type equals filter box, select Azure Cosmos DB account and choose Apply to list only the Cosmos DB accounts available in your Azure account.

05 Click on the name (link) of the Azure Cosmos DB account that you want to examine.

06 In the navigation panel, under Settings, select Networking to access network configuration settings available for the selected account.

07 Select the Public access tab and check the Public network access setting configuration. If Public network access is set to All networks, all networks, including the public Internet, can access the selected Azure Cosmos DB account, therefore the account network access configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Azure Cosmos DB account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run cosmosdb list command (Windows/macOS/Linux) using custom query filters to list the ID of each Azure Cosmos DB account available in the current Azure subscription:

az cosmosdb list
  --query '[*].id'

02 The command output should return the requested Azure resource identifiers (IDs):

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-app-account"
]

03 Run cosmosdb show command (Windows/macOS/Linux) using the name of the Cosmos DB account that you want to examine as the identifier parameter and custom query filters to describe the network access configuration implemented for the selected account:

az cosmosdb show
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
  --query '{"ipRules":ipRules,"isVirtualNetworkFilterEnabled":isVirtualNetworkFilterEnabled}'

04 The command output should return the requested network access configuration (virtual network and firewall configuration):

{
	"ipRules": [],
	"isVirtualNetworkFilterEnabled": false
}

If the cosmosdb show command output returns false for the "isVirtualNetworkFilterEnabled" attribute and null or [] for the "ipRules" attribute, there are no Azure virtual networks and IPs/IP ranges configured, all networks, including the Internet, can access the selected Azure Cosmos DB account, therefore the account network access configuration is not compliant.

05 Repeat step no. 3 and 4 for each Azure Cosmos DB account available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict public access (default network access) to your Microsoft Azure Cosmos DB accounts, perform the following actions:

Using Azure Portal

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources.

03 From the Subscription equals filter box, select the Azure account subscription that you want to access.

04 From the Type equals filter box, select Azure Cosmos DB account and choose Apply to list only the Cosmos DB accounts available in your Azure account.

05 Click on the name (link) of the Azure Cosmos DB account that you want to configure.

06 In the navigation panel, under Settings, select Networking to access network configuration settings available for the selected account.

07 To completely block public access, select the Public access tab and choose Disabled under Public network access. Choose Save to apply the changes.

08 To allow access from specific Azure Virtual Networks (VNets) only, choose + Add existing virtual network or + Add new virtual network from the Virtual networks section, to attach an existing virtual network or to create and attach a new one. Select the appropriate subscription and configure the required virtual network and its subnet(s). Choose Save to apply the changes.

09 To allow access from trusted IP addresses/IP address ranges only, perform the following operations:

  1. Choose Selected networks under Public network access.
  2. For Firewall, use the IP (Single IPv4 or CIDR range) configuration box to add IPv4 addresses or IPv4 address ranges in order to allow access from the Internet or from your on-premises networks.
  3. (Optional) To add your current public IPv4 address, choose + Add my current IP ([ipv4-address]).
  4. Choose Save to apply the changes.

10 To allow access from within public Microsoft Azure datacenters only, select the Accept connections from within public Azure datacenters checkbox, listed under Exceptions. This will allow other Azure services or sources within Microsoft Azure to access your Cosmos DB account. Choose Save to apply the changes.

11 To allow access from the Microsoft Azure Portal, select the Allow access from Azure Portal checkbox, listed under Exceptions. Choose Save to apply the changes.

12 Repeat steps no. 5 – 11 for each Azure Cosmos DB account that you want to configure, available in the selected subscription.

13 Repeat steps no. 3 – 12 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 To allow access from trusted IP addresses/IP address ranges only, run cosmosdb update command (Windows/macOS/Linux) to add a new firewall rule to the Cosmos DB account network configuration. As an example, the following configuration grants access to a specific on-premises network (i.e. 15.16.17.0/24) while blocking public Internet traffic:

az cosmosdb update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
  --ip-range-filter 15.16.17.0/24
  --query 'ipRules'

02 The command output should return the list of IP addresses/IP ranges allowed to access the selected account:

[
	{
		"ipAddressOrRange": "15.16.17.0/24"
	}
]

03 To enable access from Azure Virtual Networks (VNets), run cosmosdb update command (Windows/macOS/Linux) with the --enable-virtual-network parameter set to true:

az cosmosdb update
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
  --enable-virtual-network true

04 The command output should return the configuration information available for the selected Cosmos DB account:

{
	"analyticalStorageConfiguration": {
		"schemaType": "WellDefined"
	},
	"apiProperties": null,
	"backupPolicy": {
		"migrationState": null,
		"periodicModeProperties": {
			"backupIntervalInMinutes": 240,
			"backupRetentionIntervalInHours": 8,
			"backupStorageRedundancy": "Geo"
		},
		"type": "Periodic"
	},
	"capabilities": [],
	"capacity": null,
	"connectorOffer": null,
	"consistencyPolicy": {
		"defaultConsistencyLevel": "Session",
		"maxIntervalInSeconds": 5,
		"maxStalenessPrefix": 100
	},
	"cors": [],
	"createMode": null,
	"databaseAccountOfferType": "Standard",
	"defaultIdentity": "FirstPartyIdentity",
	"disableKeyBasedMetadataWriteAccess": false,
	"disableLocalAuth": false,
	"documentEndpoint": "https://cc-project5-account.documents.azure.com:443/",
	"enableAnalyticalStorage": false,
	"enableAutomaticFailover": false,
	"enableCassandraConnector": null,
	"enableFreeTier": true,
	"enableMultipleWriteLocations": false,
	"enablePartitionMerge": false,
	"failoverPolicies": [
		{
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"locationName": "West US"
		}
	],
	"identity": {
		"principalId": null,
		"tenantId": null,
		"type": "None",
		"userAssignedIdentities": null
	},
	"ipRules": [],
	"isVirtualNetworkFilterEnabled": true,
	"keyVaultKeyUri": null,
	"kind": "GlobalDocumentDB",
	"location": "West US",
	"locations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	],
	"minimalTlsVersion": "Tls12",
	"name": "cc-project5-account",
	"networkAclBypass": "None",
	"networkAclBypassResourceIds": [],
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"readLocations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	],
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restoreParameters": null,
	"systemData": {
		"createdAt": "2023-10-02T14:05:05.931022+00:00",
		"createdBy": null,
		"createdByType": null,
		"lastModifiedAt": null,
		"lastModifiedBy": null,
		"lastModifiedByType": null
	},
	"tags": {
		"defaultExperience": "Core (SQL)",
		"hidden-cosmos-mmspecial": ""
	},
	"type": "Microsoft.DocumentDB/databaseAccounts",
	"virtualNetworkRules": [],
	"writeLocations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	]
}

05 To allow access from a trusted Azure Virtual Network (VNet), run cosmosdb network-rule add command (Windows/macOS/Linux) to add a new virtual network to your Azure Cosmos DB account configuration:

az cosmosdb network-rule add
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
  --virtual-network cc-prod-vnet
  --subnet westeurope-01

06 The command output should return the information available for the reconfigured Azure Cosmos DB account:

{
	"analyticalStorageConfiguration": {
		"schemaType": "WellDefined"
	},
	"apiProperties": null,
	"backupPolicy": {
		"migrationState": null,
		"periodicModeProperties": {
			"backupIntervalInMinutes": 240,
			"backupRetentionIntervalInHours": 8,
			"backupStorageRedundancy": "Geo"
		},
		"type": "Periodic"
	},
	"capabilities": [],
	"capacity": null,
	"connectorOffer": null,
	"consistencyPolicy": {
		"defaultConsistencyLevel": "Session",
		"maxIntervalInSeconds": 5,
		"maxStalenessPrefix": 100
	},
	"cors": [],
	"createMode": null,
	"databaseAccountOfferType": "Standard",
	"defaultIdentity": "FirstPartyIdentity",
	"disableKeyBasedMetadataWriteAccess": false,
	"disableLocalAuth": false,
	"documentEndpoint": "https://cc-project5-account.documents.azure.com:443/",
	"enableAnalyticalStorage": false,
	"enableAutomaticFailover": false,
	"enableCassandraConnector": null,
	"enableFreeTier": true,
	"enableMultipleWriteLocations": false,
	"enablePartitionMerge": false,
	"failoverPolicies": [
		{
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"locationName": "West US"
		}
	],
	"identity": {
		"principalId": null,
		"tenantId": null,
		"type": "None",
		"userAssignedIdentities": null
	},
	"ipRules": [],
	"isVirtualNetworkFilterEnabled": true,
	"keyVaultKeyUri": null,
	"kind": "GlobalDocumentDB",
	"location": "West US",
	"locations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	],
	"minimalTlsVersion": "Tls12",
	"name": "cc-project5-account",
	"networkAclBypass": "None",
	"networkAclBypassResourceIds": [],
	"privateEndpointConnections": null,
	"provisioningState": "Succeeded",
	"publicNetworkAccess": "Disabled",
	"readLocations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	],
	"resourceGroup": "cloud-shell-storage-westeurope",
	"restoreParameters": null,
	"systemData": {
		"createdAt": "2023-10-02T14:05:05.931022+00:00",
		"createdBy": null,
		"createdByType": null,
		"lastModifiedAt": null,
		"lastModifiedBy": null,
		"lastModifiedByType": null
	},
	"tags": {
		"defaultExperience": "Core (SQL)",
		"hidden-cosmos-mmspecial": ""
	},
	"type": "Microsoft.DocumentDB/databaseAccounts",
	"virtualNetworkRules": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-prod-vnet/subnets/westeurope-01",
			"ignoreMissingVnetServiceEndpoint": false,
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"writeLocations": [
		{
			"documentEndpoint": "https://cc-project5-account-westus.documents.azure.com:443/",
			"failoverPriority": 0,
			"id": "cc-project5-account-westus",
			"isZoneRedundant": false,
			"locationName": "West US",
			"provisioningState": "Succeeded"
		}
	]
}

07 Repeat steps no. 1 – 6 for each Azure Cosmos DB account that you want to configure, available within the current subscription.

08 Repeat steps no. 1 – 7 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 7, 2020