iCompaas Support

Profile Applicability:

• Level 2
  

Description:
 Private endpoints limit network traffic to approved sources by allowing resources to connect to Azure services over a private IP address within the Virtual Network (VNet). This ensures that traffic does not traverse the public internet.

Rationale:
 Private endpoints provide a more secure communication channel by ensuring that network traffic between services remains within a private network, protecting sensitive data from potential exposure over the internet. It also ensures better control over the communication and improves overall network security.

Impact:

• Pros:
  

  • Reduces exposure to external threats by restricting service access to private IPs.
    

  • Ensures that all communication is handled within the trusted network environment.
    

  • Improves compliance by ensuring data does not flow over the public internet.
    

• Cons:
  

  • May require changes to the network architecture, especially when scaling services.
    

  • Requires careful configuration to ensure that necessary services can still communicate without issues.
    

Default Value:

• By default, Azure services do not have private endpoints enabled and are accessible via public IP addresses unless configured otherwise.
  

Pre-requisites:

• A Virtual Network (VNet) and appropriate subnet must be in place.
  

• Ensure that Azure services support private endpoints and have been configured for this purpose.
  

Remediation

Test Plan:

Using Azure Portal:

1. Open the Azure Portal: https://portal.azure.com.
   

2. Navigate to the Azure Cosmos DB (or relevant service).
   

3. Select the Networking option.
   

4. Ensure Public network access is set to Selected networks.
   

5. Under Private access, verify that a Private Endpoint is created and that its connection state is Approved.
   

Using Azure CLI:
 1. Run the following command to verify that the private endpoint is in use:

az cosmosdb show --resource-group <resource-group-name> --name <cosmos-db-name> --query "properties.privateEndpointConnections"

• The output should indicate that the private endpoint connection is approved.
  

Implementation Plan:

Using Azure Portal:

1. Go to Azure Cosmos DB (or relevant service).
   

2. Navigate to Networking and select Private access.
   

3. Click + Private Endpoint.
   

4. Provide a Name and select Next.
   

5. Choose the Resource type and select Microsoft.AzureCosmosDB/databaseAccounts.
   

6. Provide appropriate VNet and DNS configurations.
   

7. Click Review + Create, then click Create to set up the private endpoint.
   

Using Azure CLI:
 1. To create a private endpoint for a Cosmos DB instance, run the following:

az cosmosdb update --resource-group <resource-group-name> --name <cosmos-db-name> --set privateEndpointConnections[0].privateLinkServiceConnectionState.status=Approved

Backout Plan:

Using Azure Portal:

1. Go to Azure Cosmos DB (or the relevant service).
   

2. Under Networking, click Private access.
   

3. Delete the private endpoint or revert it to using public access if required.
   

Using Azure CLI:
1.  To remove the private endpoint, run:

az cosmosdb update --resource-group <resource-group-name> --name <cosmos-db-name> --set privateEndpointConnections[0].privateLinkServiceConnectionState.status=Rejected

References:

• Azure Cosmos DB - Configure Private Endpoints
  

• Private Link Overview