Skip to content

Use private endpoints with Azure Cache for Redis#

Security · Azure Cache for Redis · Rule · 2022_03 · Critical

Redis cache should disable public network access.

Description#

When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.

To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.

Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.

A private endpoint provides secure and private connectivity to Redis instances by:

  • Using a private IP address from your VNET.
  • Blocking all traffic from public networks.

If you are using VNET injection, it is recommended to migrate to private endpoints.

Recommendation#

Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.

Examples#

Configure with Azure template#

To deploy caches that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep#

To deploy caches that pass this rule:

  • Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Bicep snippet
resource cache 'Microsoft.Cache/redis@2023-04-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Comments