Skip to main content


4.5.1 Limit 'Firewalls & Networks' to Use Selected Networks Instead of All Networks (Automated)


This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2


Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint.


Selecting certain networks for your Cosmos DB to communicate restricts the number of networks including the internet that can interact with what is stored within the database.


Failure to whitelist the correct networks will result in a connection loss.


From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade
  3. Select the subscription you wish to audit.
  4. In the portal menu column select 'Firewalls and virtual networks'.
  5. Select the Database you wish to audit.
  6. Select 'Firewall and virtual networks'
  7. Confirm that the radio button for 'allow access from' is set to 'selected networks'
  8. In the listing below confirm that the listed selected networks are set to the appropriate networks.

From Azure CLI

az cosmosdb database list
az cosmosdb show <database id>

check for "isVirtualNetworkFilterEnabled" = True or False

From Azure Powershell


From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade.
  3. Select a Cosmos DB account to audit.
  4. Select Networking.
  5. Under Public network access, select Selected networks.
  6. Under Virtual networks, select + Add existing virtual network or + Add a new virtual network.
  7. For existing networks, select subscription, virtual network, subnet and click Add. For new networks, provide a name, update the default values if required, and click Create.
  8. Click Save.