Verify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
Why this matters
Allowing Azure Cosmos DB accounts to be accessible from all networks β including the public Internet β significantly increases the attack surface. Restricting access to selected virtual networks ensures that only explicitly allowed traffic can reach the database, reducing the risk of unauthorized access and data exfiltration.
What this check does
This Auto Check verifies that Azure Cosmos DB accounts are configured to only allow traffic from selected networks.
Check Logic:
Passes if:
publicNetworkAccess = Disabled
ORpublicNetworkAccess = Enabled
ANDisVirtualNetworkFilterEnabled = true
Fails if:
publicNetworkAccess = Enabled
ANDisVirtualNetworkFilterEnabled = false
This ensures that the database is not exposed to the public Internet and is restricted to a defined list of virtual networks.
How to fix it
Azure Portal:
- Go to the Azure portal
- Open the Cosmos DB blade
- Select the Cosmos DB account
- Click on Networking
- Under Public network access, select Selected networks
- Under Virtual networks, click + Add existing virtual network or + Add new virtual network
- For existing networks, select the subscription, virtual network, and subnet
- Click Add, then Save
Azure CLI:
az cosmosdb update \
--name <cosmosdb-account-name> \
--resource-group <resource-group> \
--default-action Deny \
--virtual-network-rules "[{id:'/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/<subnet-name>'}]"
Confirm configuration:
az cosmosdb show --name <cosmosdb-account-name> --resource-group <resource-group> --query "isVirtualNetworkFilterEnabled"
PowerShell:
Direct remediation via PowerShell is not explicitly defined in CIS. Use Azure CLI or Portal for enforcement.
Exceptions
None. Cosmos DB accounts should never be open to all networks.
- Further resources
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint
https://docs.microsoft.com/en-us/cli/azure/cosmosdb?view=azure-cli-latest#az-cosmosdb-show
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/database?view=azure-cli-latest#az-cosmosdb-database-list
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls