Network misconfigurations

Azure Cosmos DB firewall allows access from all public Azure datacenters

Platform(s)

Description

When enabling 'Accept connections from within Azure datacenters' option, IP address 0.0.0.0 is added to the list of allowed IP addresses. The 0.0.0.0 IP address restricts requests to your Azure Cosmos DB account from Azure datacenter IP range. This option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure. The list of IPs allowed by this option is wide, so it limits the effectiveness of a firewall policy.