e can access programmatically to Azure Cosmos DB resources to create, query, and delete databases, document collections, and documents via REST API. To perform operations on Azure Cosmos DB resources, you can send HTTPS requests with a selected method: GET, POST, PUT, or DELETE to an CosmosDB endpoint.
Frequently we build architecture with centralized access to a persistence layer, then we won't let other applications access directly to this layer.
Suppose we have the following hypothetical scenario (see Figure 1):
|Figure 1. Hypothetical Scenario
Only WEB API Service with IP1 is allowed to establish connections with CosmosDB EndPoint. The others elements showed as Application are not allowed. By default we have in our CosmosDB resource the following configuration (see Figure 2) in Firewall and Virtual Networks option.
|Figure 2. Default Configuration
|Figure 3. WEB API running in localhost
Without firewall rules, we can retrieve data from CosmosDB collection from a REST API hosted in our development laptop. (See Figure 4).
|Figure 4. Retrieving data from CosmosDB Collection
Now we are going to allow access only from Public Azure Data Centers and from Azure Portal.
|Figure 5. Allow Access only from Azure
If we try to retrieve again data from CosmosDB Collection we got error message (See Figure 6)
|Figure 6. Error Message
|Figure 7. Access from Azure
Figures 6 and 7 show that, even when we do not understand anything about virtual networks, we can add some IP's address or ranges of these in Firewall and Virtual Networks option to limit and control access to our resources in CosmosDB.