Ensure That Private Endpoints Are Used Where Possible

With Private Endpoint, access to Cosmos DB account can be limited to a set of private IP addresses in a subnet within a virtual network.

Suggest Edits

Risk Level: Medium
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.64
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CosmosDbAccount should not have privateEndpointConnections isEmpty()

REMEDIATION

From Portal

  1. Go to 'Azure Cosmos DB' and choose your Cosmos DB account.
  2. Select 'Private Endpoint Connections' on the navigation menu.
  3. Select 'Create a private endpoint' and complete the wizard.
  4. Review and create.

Note: Configuring a Private Endpoint requires additional configurations, please check the documentation for further instructions on how to create a private endpoint using TF / Azure CLI.

References

  1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
  2. https://docs.azure.cn/en-us/cli/cosmosdb/private-endpoint-connection?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#endpoint
  4. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint

Azure Cosmos DB

Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.

Compliance Frameworks

  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago