Disable public network access on Data Explorer clusters#
Security · Data Explorer · Rule · 2025_12 · Critical
Azure Data Explorer (ADX) clusters should have public network access disabled.
Description#
Disabling public network access improves security by ensuring that the cluster isn't exposed on the public internet. You can control exposure of your clusters by creating private endpoints instead.
Recommendation#
Consider disabling public network access on Azure Data Explorer clusters, using private endpoints to control connectivity.
Examples#
Configure with Azure template#
To deploy Data Explorer clusters that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled.
For example:
Azure Template snippet
{
"type": "Microsoft.Kusto/clusters",
"apiVersion": "2024-04-13",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_D11_v2",
"tier": "Standard"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"enableDiskEncryption": true,
"publicNetworkAccess": "Disabled"
}
}
Configure with Bicep#
To deploy Data Explorer clusters that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled.
For example:
Azure Bicep snippet
resource adx 'Microsoft.Kusto/clusters@2024-04-13' = {
name: name
location: location
sku: {
name: 'Standard_D11_v2'
tier: 'Standard'
}
identity: {
type: 'SystemAssigned'
}
properties: {
enableDiskEncryption: true
publicNetworkAccess: 'Disabled'
}
}
Links#
- SE:06 Network controls
- Security: Level 4
- Restrict public access to your Azure Data Explorer cluster
- Azure security baseline for Azure Data Explorer
- NS-2: Secure cloud services with network controls
- Azure deployment reference