Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs

It is recommended that the number of source IP addresses that can access the Redis Cache service be restricted. When firewall rules are configured, only allow connections from necessary IP address ranges.

Risk Level: High
Cloud Entity: Azure Redis Cache
CloudGuard Rule ID: D9.AZU.NET.13
Covered by Spectral: Yes
Category: Database

GSL LOGIC

RedisCache should not have firewallRules contain-any [ countHostsInRange>256 ]

REMEDIATION

From Portal

  1. Go to 'Redis Cache' from Azure Management console.
  2. For each Redis Cache, Select Firewall.
  3. Add/Edit each rule so the total number of addresses is less than 256.
  4. Click Save.
    NOTE : By default no firewalls rules are set.

From TF
To set firewall rules , use following configuration:

resource "azurerm_redis_firewall_rule" "example" {
	...
	start_ip            = "START-IP"
	end_ip              = "END-IP"
	...
}

From Command Line
Run

az redis firewall-rules create --resource-group RESOURCEGROUP --name REDISNAME --rule-name RULENAME --start-ip START-IP --end-ip END-IP

References

  1. https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule
  3. https://learn.microsoft.com/en-us/cli/azure/redis/firewall-rules?view=azure-cli-latest#az-redis-firewall-rules-create

Azure Redis Cache

Fully managed, open source���compatible in-memory data store to power fast, scalable application. Azure Redis Cache is based on the popular open-source Redis cache. It is typically used as a cache to improve the performance and scalability of systems that rely heavily on backend data-stores. Performance is improved by temporarily copying frequently accessed data to fast storage located close to the application. With Redis cache, this fast storage is located in-memory with Redis Cache instead of being loaded from disk by a dat

Compliance Frameworks

  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard Network Security Alerts
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure HIPAA
  • Azure ISO 27001:2013
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • CloudGuard Azure All Rules Ruleset