Skip to main content

Add more security to an Azure CosmosDB Account.

W
e can access programmatically to Azure Cosmos DB resources to create, query, and delete databases, document collections, and documents via REST API. To perform operations on Azure Cosmos DB resources, you can send HTTPS requests with a selected method: GET, POST, PUT, or DELETE to an CosmosDB endpoint. 

Frequently we build architecture with centralized access to a persistence layer, then we won't let other applications access directly to this layer.

Suppose we have the following hypothetical scenario (see Figure 1):


Figure 1. Hypothetical Scenario

Only WEB API Service with IP1 is allowed to establish connections with CosmosDB EndPoint. The others elements showed as Application are not allowed. By default we have in our CosmosDB resource the following configuration (see Figure 2) in Firewall and Virtual Networks option.

Figure 2. Default Configuration


To show you how this feature works, we are going to create a WEP API with a single function (route) to retrieve some information from a CosmosDB collection. We won't create web application, for our purposes web api with swagger UI is enough to show the functionality (See Figure 3)



Figure 3. WEB API running in localhost

Without firewall rules, we can retrieve data from CosmosDB collection from a REST API hosted in our development laptop.  (See Figure 4).

Figure 4. Retrieving data from CosmosDB Collection

Now we are going to allow access only from Public Azure Data Centers and from Azure Portal.

Figure 5. Allow Access only from Azure

If we try to retrieve again data from CosmosDB Collection we got error message (See Figure 6)

Figure 6. Error Message

Still we are allow to retrieve data from WEB API hosted inside Azure (See Figure 7)

Figure 7. Access from Azure 

Figures 6 and 7 show that, even when we do not understand anything about virtual networks, we can add some IP's address or ranges of these in Firewall and Virtual Networks option to limit and control access to our resources in CosmosDB. 

Bye !!!!

Comments

Popular posts from this blog

Inserting Data with Azure Functions in CosmosDB

I was wondering how to use Azure Function to insert data in CosmosDB when this function receives an HTTP request
Surprise!!  It´s easy 
Step 1. Create your DataBase and Collection inside CosmosDB in Azure. 

Step 2. Create Function App



Step 3.  Create a new function. In this case use template "HttpTrigger - C#"


Step 4. Select "Integrate" option 

Be sure to change option in "Allowed HTTP methods" and select only "POST" HTTP method. 

Step 5. Create output binding


Step 6.  Configuring output binding

a:  Name of the entity variable to insert in CosmosDB. b:  Name of the collection where the entity will be inserted (see image in Step 1). c:  Partition Key  in case you need to define it.  d:  DataBase name in Cosmos DB (see image in Step 1). e:  ConnectionString.

Step 7.   "Short" programming....
a: Entity variable referenced in Step 6. a b: Entity type (custom class). 
outputDocument= req.Content.ReadAsAsync<DTODocument>().Result;
The functio…

Update data in COSMOS DB with Azure Functions.

I was looking for a way to update COSMOS DB document after receive a  request inside Azure Function without any COSMOS DB biding.

I didn't find a way !!
 I took another way. I don't know if it is the right or wrong way. But this way works for me.

Scenario is very simple. We have sales orders arriving into the data base. We have another Azure function to insert those new orders. But suppose we need to cancel some order. How to do that using Azure Function ?

Let´s start !!!
Step 1. Sample Collection. This collection is very simple,  we are focused on results.


Step 2. Create a Function and Select HttpTrigger template. 


Step 3. Code 


More code. 

Step 4. Test

Step 5. Results 




See you soon