Restrict Default Network Access for Azure Cosmos DB Accounts

Risk level: Medium (should be achieved)

Rule ID: CosmosDB-003

Ensure that your Microsoft Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The access to your Azure Cosmos DB accounts should be granted to specific Azure Virtual Networks (VNets) – which allow a secure network boundary for specific applications, or to public IP addresses/IP address ranges – which can enable connections from trusted Internet services and on-premises networks. Once the firewall rules are properly configured, only clients and applications from allowed networks and/or IPs can access your Cosmos DB account resources.

Note: Making changes to the network firewall rules can impact your applications' ability to connect to the Cosmos DB account. Make sure to grant access to any trusted service or network using network rules or IP addresses/ranges before you configure the firewall default rule to deny access.

Audit

To determine if the default network access (i.e. all access) is restricted for your Azure Cosmos DB accounts, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Azure Cosmos DB account to list all Cosmos DB accounts created in the selected subscription.

05 Click on the name of the Cosmos DB account that you want to examine.

06 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected account.

07 On the Firewalls and virtual networks page, check the Allow access from network setting configuration. If Allow access from is set to All networks, all networks, including the Internet, can access the selected Azure Cosmos DB account, therefore the account network access configuration is not compliant.

08 Repeat steps no. 5 – 7 for each Cosmos DB account available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run cosmosdb list command (Windows/macOS/Linux) using custom query filters to list the IDs of all Cosmos DB accounts available in the current Azure subscription:

az cosmosdb list
	--query '[*].id'

02 The command output should return the requested Azure resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account",
"/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-cosmos-app-account"
]

03 Run cosmosdb show command (Windows/macOS/Linux) using the name of the Cosmos DB account that you want to examine as identifier parameter and custom query filters to describe the network access configuration implemented for the selected account:

az cosmosdb show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
	--query '{"ipRangeFilter":ipRules,"isVirtualNetworkFilterEnabled":isVirtualNetworkFilterEnabled}'

04 The command output should return the requested network access configuration (virtual network and firewall configuration):

{
  "ipRangeFilter": [],
  "isVirtualNetworkFilterEnabled": false
}

If cosmosdb show command output returns false for the "isVirtualNetworkFilterEnabled" attribute and [] for the "ipRangeFilter" attribute, there are no Azure virtual networks and IPs/IP ranges configured, all networks, including the Internet, can access the selected Azure Cosmos DB account, therefore the account network access configuration is not compliant.

05 Repeat step no. 3 and 4 for each Cosmos DB account available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To restrict default network access (i.e. public access) to your Microsoft Azure Cosmos DB account, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Key vault to list all Cosmos DB accounts available in the selected subscription.

05 Click on the name of the Azure Cosmos DB account that you want to reconfigure.

06 In the navigation panel, under Settings, select Firewalls and virtual networks to access network security configuration page for the selected account.

07 On the Firewalls and virtual networks page, choose Selected networks under Allow access from to show the network security configuration panel for the selected Cosmos DB account.

08 On the configuration panel, perform the following operations:

To secure your Azure Cosmos DB account access with virtual networks, use + Add existing virtual network or + Add new virtual network option available in the Virtual networks section to attach an existing virtual network or to create and attach a new one.
To add IPv4 addresses or IPv4 address ranges in order to allow access from a trusted machine on the Internet or from your on-premises network(s), use the configuration controls available under IP (Single IPv4 or CIDR range), in the Firewall section.
To configure a network access exception such as a trusted Microsoft service, use the controls available in the Exceptions section.

09 Once the network security (including firewalls and virtual networks) for the selected Azure Cosmos DB account is properly configured, click Save to apply the changes. Note that the firewall settings that allow access to the vault resources will remain in effect for up to a minute after saving the new access settings.

10 Repeat steps no. 5 – 9 for each Cosmos DB account available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Configure one or more Cosmos DB account firewall rules in order to grant access from your trusted IP(s) and network(s) only. As example, the following configuration grants access to a specific on-premises network and enables virtual network access, while blocking general Internet traffic. To allow access from your trusted network only, run cosmosdb update command (Windows/macOS/Linux) to add a new network firewall rule for a trusted IP address range (e.g. 15.16.17.0/24):

az cosmosdb update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
	--ip-range-filter 15.16.17.0/24
	--enable-virtual-network true

02 The command output should return the configuration metadata available for the selected Cosmos DB account:

{
  "databaseAccountOfferType": "Standard",
  "disableKeyBasedMetadataWriteAccess": false,
  "documentEndpoint": "https://cc-project5-account.documents.azure.com:443/",
  "enableAutomaticFailover": false,
  "enableCassandraConnector": null,
  "enableMultipleWriteLocations": false,

  ...

  "ipRangeFilter": [
    {
      "ipAddressOrRange": "15.16.17.0/24"
    }
  ],
  "isVirtualNetworkFilterEnabled": true,

  ...

  "type": "Microsoft.DocumentDB/databaseAccounts",
  "writeLocations": [
    {
      "documentEndpoint": "https://cc-project5-account-westeurope.documents.azure.com:443/",
      "failoverPriority": 0,
      "id": "cc-project5-account-db-westeurope",
      "provisioningState": "Succeeded"
    }
  ]
}

03 To allow access from a trusted Azure virtual network, run cosmosdb network-rule add command (Windows/macOS/Linux) to add a new virtual network to your Azure Cosmos DB account configuration:

az cosmosdb network-rule add
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DocumentDB/databaseAccounts/cc-project5-account"
	--virtual-network cc-prod-vnet
	--subnet westeurope-01

04 The command output should return the reconfigured Azure Cosmos DB account metadata:

{
  "databaseAccountOfferType": "Standard",
  "disableKeyBasedMetadataWriteAccess": false,
  "documentEndpoint": "https://cc-project5-account.documents.azure.com:443/",
  "enableAutomaticFailover": false,
  "enableCassandraConnector": null,
  "enableMultipleWriteLocations": false,

  ...

  "ipRangeFilter": [
    {
      "ipAddressOrRange": "15.16.17.0/24"
    }
  ],
  "isVirtualNetworkFilterEnabled": true,
  "virtualNetworkRules": [
    {
      "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-prod-vnet/subnets/westeurope-01",
      "ignoreMissingVnetServiceEndpoint": false,
      "resourceGroup": "cloud-shell-storage-westeurope"
    }
  ],

  ...

  "type": "Microsoft.DocumentDB/databaseAccounts",
  "writeLocations": [
    {
      "documentEndpoint": "https://cc-project5-account-westeurope.documents.azure.com:443/",
      "failoverPriority": 0,
      "id": "cc-project5-account-db-westeurope",
      "provisioningState": "Succeeded"
    }
  ]
}

05 Repeat steps no. 1 – 4 for each Cosmos DB account available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Access Azure Cosmos DB from virtual networks (VNet)
Configure IP firewall in Azure Cosmos DB

Azure Command Line Interface (CLI) Documentation
az cosmosdb list
az cosmosdb show
az cosmosdb update
az cosmosdb network-rule add

Publication date Apr 7, 2020

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Restrict Default Network Access for Azure Cosmos DB Accounts

Risk level: Medium

Audit

Using Azure Portal

Using Azure CLI

Remediation / Resolution

Using Azure Portal

Using Azure CLI

References

Related CosmosDB rules