Ensure Cosmos DB account access is not allowed from all networks

Azure Cosmos DB supports IP-based access controls for inbound firewall support. Allowing access from selected networks only provides an additional level of security to your database.

Risk Level: High
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.63
Covered by Spectral: Yes
Category: Database


CosmosDbAccount should not have ( publicNetworkAccess='Enabled' and isVirtualNetworkFilterEnabled=false and ipRangeFilter isEmpty() )


From Portal

  1. Go to 'Azure Cosmos DB' and choose your Cosmos DB account.
  2. Select 'Firewall and virtual networks' on the navigation menu.
  3. Change the 'Allow access from' value to 'Selected networks'.
  4. Save.

From TF
Set the is_virtual_network_filter_enabled' argument to 'true':

resource "azurerm_cosmosdb_account" "db" {
	is_virtual_network_filter_enabled = true

From Command Line

az cosmosdb update --name COSMOS DB DATABASE ACCOUNT --resource-group RESOURCE GROUP --enable-virtual-network true


  1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#is_virtual_network_filter_enabled

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset