Network misconfigurations

Azure Cosmos DB firewall allows access from all public Azure datacenters

Compliance Frameworks


When enabling 'Accept connections from within Azure datacenters' option, IP address is added to the list of allowed IP addresses. The IP address restricts requests to your Azure Cosmos DB account from Azure datacenter IP range. This option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure. The list of IPs allowed by this option is wide, so it limits the effectiveness of a firewall policy.
  • Recommended Mitigation

    It is recommended to disable this option and configure firewall rules with more restricted IP addresses.