Restrict Default Network Access for Azure Cosmos DB Accounts

More Info:

Ensure that your Microsoft Azure Cosmos DB accounts are configured to deny access to traffic from all networks, including the public Internet. By restricting the public access to your Azure Cosmos accounts, you add an additional layer of security to the account resources, as the default action is to accept requests from any source. To limit access to trusted networks and/or IP addresses only, you must update the firewall and the virtual network configuration for your Cosmos DB accounts.

Risk Level

Medium

Address

Security

Compliance Standards

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI, follow the below steps:

Open the Azure CLI on your local machine or use the Azure Cloud Shell.
Login to your Azure account using the command az login.
Once logged in, select the subscription you want to work with using the command az account set --subscription <subscription_id>.
Get the list of Cosmos DB accounts in the selected subscription using the command az cosmosdb list.
Choose the Cosmos DB account for which you want to restrict default network access.
Run the following command to update the Cosmos DB account settings to restrict default network access:

az cosmosdb update \
    --name <cosmos_db_account_name> \
    --resource-group <resource_group_name> \
    --default-consistency-level <consistency_level> \
    --disable-key-based-metadata-write-access true \
    --enable-automatic-failover true \
    --enable-multiple-write-locations true \
    --locations regionName=<region_name> isZoneRedundant=False \
    --max-interval 10 \
    --max-staleness-prefix 200 \
    --max-staleness-seconds 300 \
    --network-acl-bypass AzureServices \
    --network-acl-bypass-resource-ids /subscriptions/<subscription_id>/resourceGroups/Microsoft.Network/providers/Microsoft.Network/virtualNetworks/default \
    --virtual-network-rule "" \
    --ip-range-filter "" \
    --public-network-access Disabled

Note: Replace the placeholders <cosmos_db_account_name>, <resource_group_name>, <consistency_level>, <region_name>, and <subscription_id> with the actual values.

Once the command is executed successfully, the default network access for the Cosmos DB account will be restricted.

This will remediate the misconfiguration “Restrict Default Network Access for Azure Cosmos DB Accounts” in Azure using Azure CLI.

Using Python

To restrict default network access for Azure Cosmos DB Accounts using Python, you can follow these steps:

Import the necessary modules:

from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError

Create a Cosmos DB client instance:

endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)

Get the Cosmos DB account properties:

try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

Check if default network access is enabled:

if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)

Disable default network access:

properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

The complete code will look like this:

from azure.cosmos import CosmosClient
from azure.cosmos.errors import CosmosHttpResponseError

endpoint = "your_cosmos_db_account_endpoint"
key = "your_cosmos_db_account_key"
client = CosmosClient(endpoint, key)

try:
    properties = client.ReadAccount()
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

if properties["enableMultipleWriteLocations"]:
    print("Default network access is enabled.")
else:
    print("Default network access is disabled.")
    sys.exit(0)

properties["enableMultipleWriteLocations"] = False
try:
    client.UpdateAccount(properties)
    print("Default network access has been disabled.")
except CosmosHttpResponseError as e:
    print(e)
    sys.exit(1)

Note: Replace “your_cosmos_db_account_endpoint” and “your_cosmos_db_account_key” with the actual values of your Cosmos DB account.

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Restrict Default Network Access for Azure Cosmos DB Accounts

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation