Cosmos DB Security if given public access & how to access from outside VNET if changed to private.

Question

Cosmos DB Security if given public access & how to access from outside VNET if changed to private.

Abhinandu V Nair 0

I was wondering what are the security implications with creating a CosmosDB account with Public access? And if there is any way to access by a NodeJS app which is outside the VNET if the db is set to be private.

Let me explain a bit in detail.

I'm working on a project in Azure which uses ARM template to create resources and things for the end user. This is not a single tenant application and user has to bring their own account to access everything. Coming from AWS where we used DynamoDB, I started using the CosmosDB. The application will be hosted elsewhere so we need to provide Public Access for the DB since it's outside the VNET. But this caused a security escalation from our IT team, which stated that there are Internet exposed databases and shouldn't have any databases with ports/protocols open. My understanding was even though it's public access not anyone can access, we still need a key/ad authentication to access it.

Also these are some points which applies to my use case

All the resources in the Azure(DB,VNet if needed) will be created using the ARM templates.
Individual users in a tenant will login and db should be accessible to anyone.
The NodeJS app will be hosted either in a local docker or a kubernetes cluster, so it is impossible to give access by providing public IP, or host in the same VNET.

Any help is appreciated.

SSingh-MSFT 16,371 Reputation points Moderator

2023-06-07T04:22:19.6466667+00:00

Hi Abhinandu V Nair,

Welcome to Microsoft Q&A forum and thanks for using Azure Services.

As I understand, you want to know about Cosmos DB Security if given public access & how to access from outside VNET if changed to private.

Could you please let us know if you have used Private Endpoint with DNS Integration?

Thank you.
SSingh-MSFT 16,371 Reputation points Moderator

2023-06-08T12:31:30.98+00:00

Hi Abhinandu V Nair,

Just checking if you got a chance to look at the previous comment. Anticipating your reply so that we can accordingly further investigate. Thanks
Abhinandu V Nair 0 Reputation points

2023-06-08T12:49:47.2333333+00:00

Hi @SSingh-MSFT ,

I've checked the link but I couldn't test it really. Our organisation policies actually blocks the creation of private DNS. I'm in touch with the IT to see anything can be done regards to that.

But can you answer my other question. Will there be any security concerns if I made the network access for the DB as Public Access from all networks? My understanding is that we still needs either the key/credential auth to access the db & records.
Boris Janischevsky 0 Reputation points

2024-04-29T13:09:02.0933333+00:00

Security shouldn´t be a concern, but stability and performance. If your database is highly utlilized your client apps will most likely suffer from network errors that might get retried by the SDK embedded in your apps and possibly also suffer of DNS errors that get overloaded.

3 answers

Your answer

SSingh-MSFT 16,371 Reputation points Moderator

2023-06-07T04:22:19.6466667+00:00

Hi Abhinandu V Nair,

Welcome to Microsoft Q&A forum and thanks for using Azure Services.

As I understand, you want to know about Cosmos DB Security if given public access & how to access from outside VNET if changed to private.

Could you please let us know if you have used Private Endpoint with DNS Integration?

Thank you.
SSingh-MSFT 16,371 Reputation points Moderator

2023-06-08T12:31:30.98+00:00

Hi Abhinandu V Nair,

Just checking if you got a chance to look at the previous comment. Anticipating your reply so that we can accordingly further investigate. Thanks
Abhinandu V Nair 0 Reputation points

2023-06-08T12:49:47.2333333+00:00

Hi @SSingh-MSFT ,

I've checked the link but I couldn't test it really. Our organisation policies actually blocks the creation of private DNS. I'm in touch with the IT to see anything can be done regards to that.

But can you answer my other question. Will there be any security concerns if I made the network access for the DB as Public Access from all networks? My understanding is that we still needs either the key/credential auth to access the db & records.
Boris Janischevsky 0 Reputation points

2024-04-29T13:09:02.0933333+00:00

Security shouldn´t be a concern, but stability and performance. If your database is highly utlilized your client apps will most likely suffer from network errors that might get retried by the SDK embedded in your apps and possibly also suffer of DNS errors that get overloaded.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Hi @Abhinandu V Nair Thanks for the reply.

For security aspects of Azure Cosmos DB, you may refer to the below pointers:

User's image

Reference Security Overview

Another way is Microsoft Defender for Azure Cosmos DB detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. It can currently trigger the following alerts:

Potential SQL injection attacks: Due to the structure and capabilities of Azure Cosmos DB queries, many known SQL injection attacks can’t work in Azure Cosmos DB. However, there are some variations of SQL injections that can succeed and may result in exfiltrating data from your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects both successful and failed attempts, and helps you harden your environment to prevent these threats.

Anomalous database access patterns: For example, access from a TOR exit node, known suspicious IP addresses, unusual applications, and unusual locations.

Suspicious database activity: For example, suspicious key-listing patterns that resemble known malicious lateral movement techniques and suspicious data extraction patterns.

Note

Microsoft Defender for Azure Cosmos DB is currently available only for the API for NoSQL.
Microsoft Defender for Azure Cosmos DB is not currently available in Azure government and sovereign cloud regions.

If it is related to Secure Access to Data, we have:

User's image

Other helpful links: https://github.com/Azure/azure-cosmos-dotnet-v3/blob/master/Microsoft.Azure.Cosmos.Samples/Usage/UserManagement/UserManagementProgram.cs

https://learn.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest

Please let us know if you have any further queries so that we can help you.

Thank you.

Answer 3

SSingh-MSFT 16,371 Moderator

Hi Abhinandu V Nair,

In addition to below answer, firewall rules such as whitelisting VNET, Private Endpoint, or IP whitelisting are an additional layer of security on the Cosmos DB Account. You still need the key/ad authentication to access the data. If your key ever gets compromised it ensures that connections are still rejected.

If these answers your query, do click Accept Answer and Mark Helpful for the same. And, if you have any further query do let us know.

Share via

Cosmos DB Security if given public access & how to access from outside VNET if changed to private.

3 answers

Your answer