iCompaas Support

Profile Applicability:

• Level 2
  

Description:
 Limiting the network access for your Azure resources to specific selected networks, rather than allowing access from all networks, minimizes the attack surface and enhances security by controlling which networks are permitted to connect.

Rationale:
 By restricting the networks that can communicate with your services, you reduce exposure to external threats and unauthorized access. Only trusted and whitelisted networks should be allowed to interact with your Azure resources, especially for services like Azure Cosmos DB, SQL databases, or container instances.

Impact:

• Pros:
  

  • Reduces the potential attack surface.
    

  • Restricts access to services only to known and trusted networks.
    

  • Improves security posture by limiting the possibility of unauthorized access.
    

• Cons:
  

  • Care must be taken to ensure that the correct networks are selected, or it could result in service disruptions.
    

  • May require additional configuration if other services or clients need access to the resources.
    

Default Value:

By default, Azure services might allow access from all networks, which is considered insecure for sensitive services.

Pre-requisites:

• Ensure that you have identified all networks that need access to the resource.
  

• It may require using Azure Firewall, Network Security Groups (NSGs), or Private Endpoints to configure access properly.
  

Remediation

Test Plan:

Using Azure Portal:

1. Open the Azure Portal: https://portal.azure.com.
   

2. Navigate to Azure Cosmos DB or the relevant service.
   

3. Click on Networking under Settings.
   

4. Under the Public Network Access section, ensure Selected networks is selected.
   

5. Review the listed Virtual Networks to ensure they are appropriately configured and reflect the trusted networks.
   

Using Azure CLI:

1. Retrieve a list of Cosmos DB accounts:

az cosmosdb list

2. For each database, verify the network filtering configuration:

az cosmosdb show <database-id> --query "properties.virtualNetworkFilterEnabled"

3.  Ensure the output is true, indicating that network access is restricted.

Implementation Plan:

Using Azure Portal:

1. Navigate to Azure Cosmos DB or the service in question.
   

2. Select Networking under Settings.
   

3. Change Public Network Access to Selected networks.
   

4. Configure the appropriate Virtual Networks for access.
   

5. Click Save to apply the changes.
   

Using Azure CLI:
 1. To limit access to selected networks, use the following command

az cosmosdb update --resource-group <resource-group-name> --name <cosmos-db-name> --set publicNetworkAccess=Selected

Backout Plan:

Using Azure Portal:

1. Go to Azure Cosmos DB or the relevant service.
   

2. Under Networking, change the Public Network Access setting to All networks to revert the change.
   

Using Azure CLI:
 1. To revert the changes and allow all networks, run:

az cosmosdb update --resource-group <resource-group-name> --name <cosmos-db-name> --set publicNetworkAccess=All

References:

• Azure Cosmos DB - Secure Connections
  

• Azure Networking Security Controls