- Knowledge Base
- Microsoft Azure
- Redis Cache
- Check for Virtual Network Deployment and Integration
Ensure that your Microsoft Azure Cache for Redis servers are deployed to an Azure virtual network (VNet) in order to minimize exposure to public networks, reducing the risk of unauthorized access and potential security breaches.
Security 
Operationalexcellence
Virtual network (VNet) integration for Premium Azure Cache for Redis servers provides improved security and isolation through the implementation of subnets, access control policies, and various other features designed to further restrict access. When an Azure Cache for Redis server is integrated within a virtual network (VNet), it is not publicly accessible. Instead, the network access to the cache server is limited to virtual machines and applications operating within the confines of the virtual network.
Virtual network (VNet) integration for Azure Cache for Redis servers is only available in the Premium tier.
Audit
To determine if your Azure Cache for Redis servers were deployed to an Azure virtual network (VNet), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.
05 From the Add filter box, choose SKU for Filter, select Equals, choose Premium for Value, and select Apply to list only the Azure Cache for Redis servers available in the Premium tier.
06 Click on the name (link) of the Redis cache server that you want to examine.
07 In the resource navigation panel, under Settings, select Virtual Network to access the virtual network (VNet) integration information such as VNet name, subnet name, and IP address, available for the selected cache server.
08 If there are no VNet integration information available on the Virtual Network page, the selected Azure Cache for Redis server was not deployed to an Azure virtual network (VNet). As a result, the VNet integration is not enabled for your Redis cache server.
09 Repeat steps no. 6 - 8 for each Azure Cache for Redis server deployed in the selected Azure subscription.
10 Repeat steps no. 3 – 9 for each Azure subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run redis list command (Windows/macOS/Linux) with custom query filters to list the name, the associated resource group, and the tier for each Azure Cache for Redis server available in the selected subscription:
az redis list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup, SKU:sku.name}'
05 The command output should return the requested cache server information (including the tier name, i.e., SKU value):
Name ResourceGroup SKU ----------------------- ------------------------------ -------- cc-project5-redis-cache cloud-shell-storage-westeurope Premium cc-webapp-cache-server cloud-shell-storage-westeurope Standard
06 Run redis show command (Windows/macOS/Linux) with custom output filters to determine if the specified Premium Azure Cache for Redis server was deployed to an Azure virtual network (VNet):
az redis show
--name cc-project5-redis-cache
--resource-group cloud-shell-storage-westeurope
--query '{"subnetId":subnetId}'
07 The command output should return the ID of the associated VNet subnet:
{
"subnetId": null
}
If the redis show command output returns null for the "subnetId" attribute, as shown in the example above, the selected Azure Cache for Redis server was not deployed to an Azure virtual network (VNet). Consequently, the VNet integration is not enabled for your Redis cache server.
08 Repeat step no. 6 and 7 for each Azure Cache for Redis server available within the current Azure subscription.
09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
An existing Azure Cache for Redis server cannot be added to a virtual network (VNet). To ensure that your Microsoft Azure Cache for Redis servers are injected into a virtual network, re-create your cache resources with the appropriate VNet configuration. To redeploy your cache servers, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Azure Cache for Redis for Value, then choose Apply to list the Azure Cache for Redis servers available in the selected subscription.
05 From the Add filter box, choose SKU for Filter, select Equals, choose Premium for Value, and select Apply to list only the Azure Cache for Redis servers available in the Premium tier.
06 Click on the name (link) of the Redis cache server that you want to re-create and collect all relevant configuration information.
07 Navigate to Azure Cache for Redis blade at https://portal.azure.com/#browse/Microsoft.Cache%2FRedis, choose + Create, select Azure Cache for Redis, and perform the following actions to create a new Premium Azure Cache for Redis server:
- For Basics, provide the following information:
- For Subscription, choose your Azure subscription.
- For Resource group, select the correct resource group.
- Provide a unique name for the new cache server in the Name box.
- For Location, select the Azure cloud region where the server instance will be deployed.
- For Cache SKU (View full pricing details), choose Premium (up to 99.9% availability) from the Azure Cache for Redis list.
- For Cache size, choose the cache instance size for the new cache server (must match the source server instance size).
- Choose Next : Networking > to continue the setup process.
- For Networking, perform the following operations:
- For Connectivity method, choose Virtual Network Injection to deploy your new cache server to a virtual network (VNet).
- Under Virtual Network, perform the following actions:
- Ensure that the correct Azure subscription is selected for Virtual network subscription.
- For Virtual network, choose the name of the Azure virtual network (VNet) that you want to use for your Redis cache server.
- For Subnet, select the VNet subnet where the cache server will be deployed.
- (Optional) For Static IP address, provide a static IP address for routing. If you don't specify a static IP, an IP address will be automatically chosen.
- Choose Next : Advanced > to continue the setup process.
- For Advanced, use the information collected at step no. 6 to configure the resource settings to match the source cache server configuration. Choose Next : Tags > to continue the setup.
- For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the new resource. Choose Next : Review + create > to validate the setup.
- For Review + create, review the resource configuration details, then choose Create to create your new Premium Azure Cache for Redis server and deploy it to your secure Azure virtual network (VNet).
08 Repeat steps no. 6 and 7 for each Azure Cache for Redis server that you want to redeploy, available in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run redis list command (Windows/macOS/Linux) with custom query filters to list the name, the associated resource group, and the tier for each Azure Cache for Redis server available in the selected subscription:
az redis list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup, SKU:sku.name}'
05 The command output should return the requested cache server information (including the tier name, i.e., SKU value):
Name ResourceGroup SKU ----------------------- ------------------------------ -------- cc-project5-redis-cache cloud-shell-storage-westeurope Premium cc-webapp-cache-server cloud-shell-storage-westeurope Standard
06 Run redis show command (Windows/macOS/Linux) with custom output filters to describe the configuration information available for the Azure Cache for Redis Premium server that you want to re-create for VNet integration:
az redis show --name cc-project5-redis-cache --resource-group cloud-shell-storage-westeurope
07 The command output should return the requested configuration information:
{
"accessKeys": null,
"disableAccessKeyAuthentication": false,
"enableNonSslPort": false,
"linkedServers": [],
"location": "West Europe",
"minimumTlsVersion": "1.2",
"name": "cc-project5-redis-cache",
"port": 6379,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
...
"redisVersion": "6.0",
"resourceGroup": "cloud-shell-storage-westeurope",
"shardCount": null,
"sku": {
"capacity": 1,
"family": "P",
"name": "Premium"
},
"sslPort": 6380,
"staticIp": "10.0.0.10",
"type": "Microsoft.Cache/Redis",
"updateChannel": "Stable"
}
08 Run redis create command (Windows/macOS/Linux) to create and deploy a new Premium Azure Cache for Redis server inside an Azure virtual network (VNet). Use the --subnet-id command parameter to specify the ID of the VNet subnet:
az redis create --name cc-project5-new-redis-cache --resource-group cloud-shell-storage-westeurope --location westeurope --sku Premium --vm-size p1 --mi-system-assigned --update-channel Stable --subnet-id "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001"
09 The command output should return the configuration information available for the new cache server:
{
"disableAccessKeyAuthentication": false,
"enableNonSslPort": false,
"hostName": "cc-project5-new-redis-cache.redis.cache.windows.net",
"linkedServers": [],
"location": "West Europe",
"minimumTlsVersion": "1.2",
"name": "cc-project5-new-redis-cache",
"port": 6379,
"privateEndpointConnections": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled",
...
"resourceGroup": "cloud-shell-storage-westeurope",
"sku": {
"capacity": 1,
"family": "P",
"name": "Premium"
},
"sslPort": 6380,
"staticIp": "10.0.0.15",
"subnetId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet/subnets/cc-vnet-subnet-001",
"type": "Microsoft.Cache/Redis",
"updateChannel": "Stable"
}
10 Repeat steps no. 6 - 9 for each Azure Cache for Redis server that you want to redeploy, available within the selected subscription.
11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Configure virtual network (VNet) support for a Premium Azure Cache for Redis instance
- Azure security baseline for Azure Cache for Redis
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az redis list
- az redis show
- az redis create