Disable public network access on Cosmos DB#
Security · Cosmos DB · Rule · 2024_06 · Critical
Azure Cosmos DB should have public network access disabled.
Description#
Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can control exposure of your resources by creating private endpoints instead.
Recommendation#
Consider disabling public network access on Cosmos DB, using private endpoints to control connectivity for data plane operations.
Examples#
Configure with Azure template#
To deploy database accounts that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled.
For example:
Azure Template snippet
{
"type": "Microsoft.DocumentDB/databaseAccounts",
"apiVersion": "2023-11-15",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"kind": "GlobalDocumentDB",
"properties": {
"publicNetworkAccess": "Disabled",
"locations": [
{
"locationName": "[parameters('location')]",
"failoverPriority": 0,
"isZoneRedundant": true
}
]
}
}
Configure with Bicep#
To deploy database accounts that pass this rule:
- Set the
properties.publicNetworkAccessproperty toDisabled.
For example:
Azure Bicep snippet
resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
name: name
location: location
kind: 'GlobalDocumentDB'
properties: {
publicNetworkAccess: 'Disabled'
locations: [
{
locationName: location
failoverPriority: 0
isZoneRedundant: true
}
]
}
}
Links#
- SE:06 Network controls
- Configure Azure Private Link for an Azure Cosmos DB account
- Azure security baseline for Azure Cosmos DB
- NS-2: Secure cloud services with network controls
- Azure deployment reference