What's new?
- We've added guardrails to help secure access to your database accounts' public endpoints. All database accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Cosmos DB > Database Account > Firewall - Configure default access rules for the public endpoint
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved - Remove unapproved IP ranges
Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required - Grant access to specific IP ranges
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved - Remove unapproved virtual network subnets
Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required - Grant access to specific virtual network subnets
Please note that if the Azure > Cosmos DB > Database Account > Firewall policy is set to Enforce: Allow only approved virtual networks and IP ranges, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the database accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the database accounts.
Control Types
- Azure > Cosmos DB > Database Account > Firewall
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
Policy Types
- Azure > Cosmos DB > Database Account > Firewall
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > CIDR Ranges
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Approved > Rules
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Compiled Items
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Exceptions
- Azure > Cosmos DB > Database Account > Firewall > IP Ranges > Required > Items
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Compiled Rules
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Rules
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Approved > Subnets
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required
- Azure > Cosmos DB > Database Account > Firewall > Virtual Networks > Required > Items
Action Types
- Azure > Cosmos DB > Database Account > Update Firewall Default Access Rule
- Azure > Cosmos DB > Database Account > Update Firewall IP Ranges
- Azure > Cosmos DB > Database Account > Update Firewall Virtual Networks
Bug fixes
- Various Discovery and CMDB controls entered an error state because they used outdated APIs that no longer functioned as expected. We have updated internal package dependencies, and those controls now operate smoothly as intended.