Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

Disabling public network access ensures your Cosmos DB account isn't exposed to the public internet.

Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.62
Covered by Spectral: Yes
Category: Database


CosmosDbAccount should have publicNetworkAccess='Disabled'


From TF
Set the 'public_network_access_enabled' argument to 'false':

resource "azurerm_cosmosdb_account" "db" {
	public_network_access_enabled = false

From Command Line

az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group  RESOURCE GROUP --enable-public-network false


  1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints#blocking-public-network-access-during-account-creation
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#public_network_access_enabled

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset