Description:
Private endpoints limit network traffic to approved sources.
Rationale:
For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.
Impact:
Only whitelisted services will have access to communicate with the Cosmos DB.
Audit:
From Azure Portal
1. Open the portal menu.
2. Select the Azure Cosmos DB blade.
3. Select the Azure Cosmos DB account.
4. Select Networking.
5. Ensure Public network access is set to Selected networks.
6. Ensure the listed networks are set appropriately.
7. Select Private access.
8. Ensure a private endpoint exists and Connection state is Approved.
Remediation:
From Azure Portal
1. Open the portal menu.
2. Select the Azure Cosmos DB blade.
3. Select the Azure Cosmos DB account.
4. Select Networking.
5. Select Private access.
6. Click + Private Endpoint.
7. Provide a Name.
8. Click Next.
9. From the Resource type drop down, selectMicrosoft.AzureCosmosDB/databaseAccounts.
10.From the Resource drop down, select the Cosmos DB account.
11.Click Next.
12.Provide appropriate Virtual Network details.
13.Click Next.
14.Provide appropriate DNS details.
15.Click Next.
16.Optionally provide Tags.
17.Click Next : Review + create.
18.Click Create.
Default Value:
By default Cosmos DB does not have private endpoints enabled and its traffic is public
to the network.
References:
1. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-privateendpoints
2. https://docs.microsoft.com/en-us/azure/private-link/tutorial-private-endpointcosmosdb-portal
3. https://docs.microsoft.com/en-us/cli/azure/cosmosdb/private-endpointconnection?view=azure-cli-latest