Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure IP Firewall Rules for Azure Cache for Redis Servers

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

To enhance security and compliance for your Azure Cache for Redis servers, configure IP network and firewall rules to control access and limit exposure to potential risks. These rules ensure only authorized connections can reach your Redis resources, while internal monitoring remains uninterrupted.

Security

Configuring IP network rules for your Microsoft Azure Cache for Redis servers is essential for securing access. This ensures that only trusted IP addresses or services can connect to your cache servers, preventing unauthorized access, protecting your cache data, and supporting compliance with security best practices.

Audit

To determine if there are any IP firewall rules configured for your Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list only the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to examine.

06 In the resource navigation panel, under Settings, select Firewall to access the list of firewall rules configured for the selected resource.

07 On the Firewall page, check for any firewall rules configured for your cache server. If the Firewall page is empty, there are no IP firewall rules configured for the selected Azure Cache for Redis server. As a result, connections from any IP address are allowed.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run redis list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Cache for Redis server available in the selected subscription: 

az redis list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested cache server identifiers: 

Name                        ResourceGroup
-------------------------   ------------------------------
cc-project5-redis-cache     cloud-shell-storage-westeurope
cc-main-app-redis-cache     cloud-shell-storage-westeurope

06 Run redis firewall-rules list command (Windows/macOS/Linux) with the name of the Azure Cache for Redis server that you want to examine as the identifier parameter, to list the name of each IP firewall rule configured for the selected Redis cache server: 

az redis firewall-rules list
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--query '[].name'

07 The command output should return the names of the firewall rules defined for the selected cache server: 

[]

If the redis firewall-rules list command output returns an empty array, i.e., [], there are no IP firewall rules configured for the selected Azure Cache for Redis server. As a result, all IP addresses are permitted to establish network connections.

08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure IP firewall rules for your Microsoft Azure Cache for Redis servers, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list only the Azure Cache for Redis servers available in the selected subscription.

05 Click on the name (link) of the Azure Cache for Redis server that you want to configure.

06 In the resource navigation panel, under Settings, select Firewall.

07 On the Firewall page, choose Add and perform the following actions to add one or more IP firewall rules:

  1. For Rule name, type a unique name for the new IP firewall rule.
  2. For Start IP address and End IP address, provide the client IP address or IP address range designated to access your Redis cache server. For IP address ranges, Start IP address represents the lowest IP address included in the range and End IP address is the highest IP address included in the range.
  3. Choose Save to apply the configuration settings. Once the IP firewall rule is applied, only client connections from the specified IP address/IP address range can connect to the selected cache server.

08 Repeat steps no. 5 - 7 for each Azure Cache for Redis server that you want to configure, deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To allow access from specific, trusted IP addresses or IP ranges, run redis firewall-rules create command (Windows/macOS/Linux) to create a new IP firewall rule for an individual IP address or IP address range. For IP address ranges, --start-ip represents the lowest IP address included in the range and --end-ip is the highest IP address included in the range: 

az redis firewall-rules create
	--name cc-project5-redis-cache
	--resource-group cloud-shell-storage-westeurope
	--rule-name AuthRedisClient
	--start-ip 10.10.1.0
	--end-ip 10.10.1.255

05 The command output should return the information available for the new IP firewall rule. Once the IP firewall rule is applied, only client connections from the specified IP address/IP address range can connect to the selected cache server: 

{
	"endIp": "10.10.1.255",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Cache/redis/cc-project5-redis-cache/firewallRules/AuthRedisClient",
	"name": "cc-project5-redis-cache/AuthRedisClient",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"startIp": "10.10.1.0",
	"type": "Microsoft.Cache/redis/firewallRules"
}

06 Repeat steps no. 4 and 5 for each Azure Cache for Redis server that you want to configure, available in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription available in your Microsoft Azure cloud account.

References

Publication date May 12, 2025

Related RedisCache rules