Search code examples
azureazure-cosmosdbvnet

Is a service Endpoint always the securest way to access a resource on Azure?

I build an architecture, where you can trigger an Azure Function to push data into a Cosmos DB, which lies behind my DMZ. Some implementation guidelines state, that a service endpoint should be always enabled if possible. However, if I do so, the Cosmos DB is potentially exposed to the Internet (although I would not allow any IPs in the Cosmos DB firewall). With exposure I mean the order of handling services in Azure (https://msdnshared.blob.core.windows.net/media/2016/05/1.bmp). Thus, the Cosmos DB would have by default a public endpoint.

Can I restrict any public access from the internet, except blocking all IP addresses?

Solution

  • Can I restrict any public access from the internet, except blocking all IP addresses?

    Actually, By enabling service endpoint, you have limited that only requests originating from that subnet could access the Azure Cosmos DB. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network. So, it's a secure way to access resources in Azure.

    After enabling a service endpoint, the source IP addresses of virtual machines in the subnet switch from using public IPv4 addresses to using their private IPv4 address, when communicating with the service from that subnet. Also, the default NSG associated with that subnet continues to work with service endpoints, read here. If you want to deny all outbound internet traffic and only allow access to cosmos DB from that subnet, you could add service tag as the destination in the outbound rules in NSG.

    enter image description here

    edit

    You could have a look at this Azure private link(preview), but it seems it's not available for Azure Cosmos DB Account yet.

    Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer/partner services over a Private Endpoint in your virtual network. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet.