Verify that That Private Endpoints Are Used Where Possible
Why this matters
Private endpoints ensure that traffic between your Azure Cosmos DB and other services stays within the Azure backbone network, never traversing the public Internet. This significantly reduces exposure to external threats and gives organizations full control over access paths, making it a key control for data confidentiality and compliance.
What this check does
This Auto Check verifies that Azure Cosmos DB accounts have at least one private endpoint configured, and that the connection state is approved.
Check Logic:
Passes if:
- A private endpoint exists for the Cosmos DB account
- Connection state = Approved
Fails if:
- No private endpoint is configured
OR - Private endpoint exists but is not in approved state
How to fix it
Azure Portal:
- Open the Azure portal and go to Cosmos DB
- Select the Cosmos DB account
- Click Networking β Private access
- Click + Private Endpoint
- Provide a Name and click Next
- Under Resource type, select
Microsoft.AzureCosmosDB/databaseAccounts
- Under Resource, select your Cosmos DB account
- Click Next, then enter:
- Virtual network details
- DNS configuration
- Tags (optional)
- Click Next: Review + create, then Create
Azure CLI:
az network private-endpoint create \
--name <private-endpoint-name> \
--resource-group <resource-group> \
--vnet-name <vnet-name> \
--subnet <subnet-name> \
--private-connection-resource-id /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.DocumentDB/databaseAccounts/<cosmosdb-name> \
--group-id Sql \
--connection-name <connection-name>
To verify connection state:
az cosmosdb private-endpoint-connection list \
--account-name <cosmosdb-name> \
--resource-group <resource-group>
PowerShell:
PowerShell command not explicitly provided by the CIS Benchmark. Use Azure Portal or CLI to configure.
Exceptions
None. Private endpoints should be configured wherever network isolation is required.
- Further resources
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal
https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpoint-connection?view=azure-cli-latest
https://docs.microsoft.com/en-us/cli/azure/network/private-endpoint?view=azure-cli-latest#az-network-private-endpoint-create
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-2-secure-cloud-native-services-with-network-controls