Skip to main content


4.5.2 Use Private Endpoints Where Possible (Automated)


This rule has been changed to automated, see Automated Policies for CIS Azure 1.5.0 for details.

Profile Applicability

• Level 2


Private endpoints limit network traffic to approved sources.


For sensitive data, private endpoints allow granular control of which services can communicate with Cosmos DB and ensure that this network traffic is private. You set this up on a case by case basis for each service you wish to be connected.


Only whitelisted services will have access to communicate with the Cosmos DB.


From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade
  3. Select the subscription you wish to audit.
  4. In the portal menu column select 'Private Endpoint Connections'.
  5. Select the Database you wish to audit.
  6. In this list view the private endpoints. In the column under 'Connection State' and the Private Endpoint is set to 'Enabled' it is active.
  7. Confirm that the radio button for 'allow access from' is set to 'selected networks'
  8. In the listing below confirm that the listed selected networks are set to the appropriate endpoints.


From Azure Portal

  1. Open the portal menu.
  2. Select the Azure Cosmos DB blade.
  3. Select the Azure Cosmos DB account.
  4. Select Networking.
  5. Select Private access.
  6. Click + Private Endpoint.
  7. Provide a Name.
  8. Click Next.
  9. From the Resource type drop down, select Microsoft.AzureCosmosDB/databaseAccounts.
  10. From the Resource drop down, select the Cosmos DB account.
  11. Click Next.
  12. Provide appropriate Virtual Network details.
  13. Click Next.
  14. Provide appropriate Domain Name System (DNS) details.
  15. Click Next.
  16. Optionally provide Tags.
  17. Click Next : Review + create.
  18. Click Create.