Network misconfigurations

Azure Cosmos DB firewall allows access from all public Azure datacenters



When enabling 'Accept connections from within Azure datacenters' option, IP address is added to the list of allowed IP addresses. The IP address restricts requests to your Azure Cosmos DB account from Azure datacenter IP range. This option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure. The list of IPs allowed by this option is wide, so it limits the effectiveness of a firewall policy.