Ensure That Private Endpoints Are Used Where Possible
With Private Endpoint, access to Cosmos DB account can be limited to a set of private IP addresses in a subnet within a virtual network.
Risk Level: Medium
Cloud Entity: Azure Cosmos DB
CloudGuard Rule ID: D9.AZU.NET.64
Covered by Spectral: Yes
Category: Database
GSL LOGIC
CosmosDbAccount should not have privateEndpointConnections isEmpty()
REMEDIATION
From Portal
- Go to 'Azure Cosmos DB' and choose your Cosmos DB account.
- Select 'Private Endpoint Connections' on the navigation menu.
- Select 'Create a private endpoint' and complete the wizard.
- Review and create.
Note: Configuring a Private Endpoint requires additional configurations, please check the documentation for further instructions on how to create a private endpoint using TF / Azure CLI.
References
- https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints
- https://docs.azure.cn/en-us/cli/cosmosdb/private-endpoint-connection?view=azure-cli-latest
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#endpoint
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint
Azure Cosmos DB
Azure Cosmos DB is a fully managed database service with turnkey global distribution and transparent multi-master replication. You can run globally distributed, low-latency operational and analytics workloads and AI on transactional data within your database.
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago