Use private endpoints with Azure Cache for Redis

Security · Azure Cache for Redis · Rule · 2022_03 · Critical

Redis cache should disable public network access.

Description

When using Azure Cache for Redis, you can configure the cache to be private or accessible from the public Internet. By default, the cache is configured to be accessible from the public Internet.

To limit network access to the cache you can use firewall rules or private endpoints. Using private endpoints with Azure Cache for Redis is the recommend approach for most scenarios.

Use private endpoints to improve the security posture of your Redis cache and reduce the risk of data breaches.

A private endpoint provides secure and private connectivity to Redis instances by:

• Using a private IP address from your VNET.
• Blocking all traffic from public networks.

If you are using VNET injection, it is recommended to migrate to private endpoints.

Recommendation

Consider using private endpoints to limit network connectivity to the cache and help reduce data exfiltration risks.

Examples

Configure with Azure template

To deploy caches that pass this rule:

• Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Template snippet

{
  "type": "Microsoft.Cache/redis",
  "apiVersion": "2023-04-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "minimumTlsVersion": "1.2",
    "redisVersion": "latest",
    "sku": {
      "name": "Premium",
      "family": "P",
      "capacity": 1
    },
    "redisConfiguration": {
      "maxmemory-reserved": "615"
    },
    "enableNonSslPort": false,
    "publicNetworkAccess": "Disabled"
  },
  "zones": [
    "1",
    "2",
    "3"
  ]
}

Configure with Bicep

To deploy caches that pass this rule:

• Set the properties.publicNetworkAccess property to Disabled.

For example:

Azure Bicep snippet

resource cache 'Microsoft.Cache/redis@2023-04-01' = {
  name: name
  location: location
  properties: {
    minimumTlsVersion: '1.2'
    redisVersion: 'latest'
    sku: {
      name: 'Premium'
      family: 'P'
      capacity: 1
    }
    redisConfiguration: {
      'maxmemory-reserved': '615'
    }
    enableNonSslPort: false
    publicNetworkAccess: 'Disabled'
  }
  zones: [
    '1'
    '2'
    '3'
  ]
}

Configure with Azure Verified Modules

A pre-built module is avilable on the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/cache/redis:<version>

Links

• Azure services for securing network connectivity
• Azure Cache for Redis with Azure Private Link
• Best practices for endpoint security on Azure
• Migrate from VNet injection caches to Private Link caches
• What is Azure Private Endpoint?
• NS-2: Secure cloud services with network controls
• Azure Policy Regulatory Compliance controls for Azure Cache for Redis
• Azure deployment reference

Comments