Verify that That Private Endpoints Are Used Where Possible

Framework Reference: A.8.23 Integration: Azure – Cosmos DB (Private Endpoint)

Why this matters
Private endpoints ensure that traffic between your Azure Cosmos DB and other services stays within the Azure backbone network, never traversing the public Internet. This significantly reduces exposure to external threats and gives organizations full control over access paths, making it a key control for data confidentiality and compliance.

What this check does
This Auto Check verifies that Azure Cosmos DB accounts have at least one private endpoint configured, and that the connection state is approved.

Check Logic:
Passes if:

• A private endpoint exists for the Cosmos DB account

• Connection state = Approved

Fails if:

• No private endpoint is configured
  OR

• Private endpoint exists but is not in approved state

How to fix it

Azure Portal:

1. Open the Azure portal and go to Cosmos DB

2. Select the Cosmos DB account

3. Click Networking → Private access

4. Click + Private Endpoint

5. Provide a Name and click Next

6. Under Resource type, select Microsoft.AzureCosmosDB/databaseAccounts

7. Under Resource, select your Cosmos DB account

8. Click Next, then enter:

9. Virtual network details

10. DNS configuration

11. Tags (optional)

12. Click Next: Review + create, then Create

Azure CLI:

az network private-endpoint create \  --name <private-endpoint-name> \  --resource-group <resource-group> \  --vnet-name <vnet-name> \  --subnet <subnet-name> \  --private-connection-resource-id /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmosdb-name> \  --group-id Sql \  --connection-name <connection-name>

To verify connection state:

az cosmosdb private-endpoint-connection list \  --account-name <cosmosdb-name> \  --resource-group <resource-group>

PowerShell:

PowerShell command not explicitly provided by the CIS Benchmark. Use Azure Portal or CLI to configure.

Exceptions
None. Private endpoints should be configured wherever network isolation is required.

• Further resources
  https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
  https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal
  https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest
  https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create
  https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls