Profile Applicability:

  • Level 1

Description:
 Disabling public network access restricts the service from connecting to public networks, improving security by limiting exposure to potential threats from the internet.

Rationale:
 A secure network architecture involves segmentation to limit access. Public network access is often overly permissive and creates unintentional pathways for threats. Disabling it ensures better control over incoming and outgoing network traffic.

Impact:

  • Pros:

    • Minimizes the surface area for external attacks.

    • Enhances security by restricting access to only trusted networks.

    • No additional performance or cost impact is incurred from implementing this setting.

  • Cons:

    • Some services may require alternative configurations to maintain necessary access for applications or integrations.

    • May require architectural adjustments to ensure required connectivity.

Default Value:

By default, public network access is disabled when setting up Azure Cache for Redis instances.

Pre-requisites:

  • If using a Virtual Network (VNet), public network access cannot be disabled. For such cases, alternate security measures such as using Network Security Groups (NSGs) or Azure Firewall are recommended.

Remediation

Test Plan:

Using Azure Portal:

  1. Open the Azure Portal: https://portal.azure.com.

  2. Navigate to Azure Cache for Redis.

  3. Select the Redis instance.

  4. In the left-hand menu, click on Private Endpoint.

  5. Check the button next to Enable public network access.

    • If the button says Enable public network access, it means public network access is disabled, and the configuration is compliant.

Using Azure CLI:

1. Run the following command to check the public network access setting:

az redis show --resource-group <RESOURCE_GROUP_NAME> --name <CACHE_NAME> --query publicNetworkAccess

  • The output should indicate that public network access is disabled (set to false).

Implementation Plan:

Using Azure Portal:

  1. Navigate to Azure Cache for Redis.

  2. Select the Redis instance and go to Private Endpoint.

  3. Click Disable public network access.

  4. Confirm and save the changes.

Using Azure CLI:
1.  To disable public network access, use the following command

az redis update --resource-group <RESOURCE_GROUP_NAME> --name <CACHE_NAME> --set publicNetworkAccess=false


Backout Plan:

Using Azure Portal:

  1. Go to Azure Cache for Redis.

  2. Click on the Private Endpoint.

  3. Re-enable the public network access if necessary.

Using Azure CLI:
1.  To re-enable public network access, run the following:

az redis update --resource-group <RESOURCE_GROUP_NAME> --name <CACHE_NAME> --set publicNetworkAccess=true


References: