4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.


Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.


Failure to whitelist the correct networks will result in a connection loss.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


From Azure Portal

Open the portal menu.

Select the Azure Cosmos DB blade

Select the subscription you wish to audit.

In the portal menu column select 'Firewalls and virtual networks'.

Select the Database you wish to audit.

Select 'Firewall and virtual networks'

Change the radio button for 'allow access from' is to 'selected networks'

Under the heading 'Virtual Networks' choose '+ Add existing virtual network' or '+ Add a new virtual network'.

For existing networks, select the subscription, virtual network, and subnet, then select 'Add'. For new networks follow similar steps but enter the configuration you desire.

Default Value:

By default, Cosmos DBs are set to have access all networks.

See Also