4.5.2 Ensure That Private Endpoints Are Used Where Possible

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Private endpoints limit network traffic to approved sources.


For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.


Only whitelisted services will have access to communicate with the Cosmos DB.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


From Azure Portal

Open the portal menu.

Select the Azure Cosmos DB blade

Select the subscription you wish to audit.

Select the Database you wish to add an endpoint to.

Then in the portal menu column select the blade 'Private Endpoint Connections'.

Click '+ Private Endpoint'

Select which subscription and resource group you want the endpoint to be in. Name it as desired.

Select which subscription the endpoint will be under, its resource type.

Select which virtual network desired.

Select the DNS servers the endpoint will contact.

Tag as desired and create.

Back in the Private Endpoints view, select the endpoint and associate it with the Cosmos DB.

In the listing below confirm that the listed selected networks are set to the appropriate endpoints.

Default Value:

By default Cosmos DB does not have private endpoints enabled and its traffic is public to the network.

See Also