Skip to main content

Add more security to an Azure CosmosDB Account.

e can access programmatically to Azure Cosmos DB resources to create, query, and delete databases, document collections, and documents via REST API. To perform operations on Azure Cosmos DB resources, you can send HTTPS requests with a selected method: GET, POST, PUT, or DELETE to an CosmosDB endpoint. 

Frequently we build architecture with centralized access to a persistence layer, then we won't let other applications access directly to this layer.

Suppose we have the following hypothetical scenario (see Figure 1):

Figure 1. Hypothetical Scenario

Only WEB API Service with IP1 is allowed to establish connections with CosmosDB EndPoint. The others elements showed as Application are not allowed. By default we have in our CosmosDB resource the following configuration (see Figure 2) in Firewall and Virtual Networks option.

Figure 2. Default Configuration

To show you how this feature works, we are going to create a WEP API with a single function (route) to retrieve some information from a CosmosDB collection. We won't create web application, for our purposes web api with swagger UI is enough to show the functionality (See Figure 3)

Figure 3. WEB API running in localhost

Without firewall rules, we can retrieve data from CosmosDB collection from a REST API hosted in our development laptop.  (See Figure 4).

Figure 4. Retrieving data from CosmosDB Collection

Now we are going to allow access only from Public Azure Data Centers and from Azure Portal.

Figure 5. Allow Access only from Azure

If we try to retrieve again data from CosmosDB Collection we got error message (See Figure 6)

Figure 6. Error Message

Still we are allow to retrieve data from WEB API hosted inside Azure (See Figure 7)

Figure 7. Access from Azure 

Figures 6 and 7 show that, even when we do not understand anything about virtual networks, we can add some IP's address or ranges of these in Firewall and Virtual Networks option to limit and control access to our resources in CosmosDB. 

Bye !!!!


Popular posts from this blog

Some architectures with Cosmos DB and Azure Functions

Fig 1. Access Control Fig 2. Documents storage with reference to blob. Fig 3. Automatic storage maintenance of Documents with expiration. Fig 4. Reports.

Update data in COSMOS DB with Azure Functions.

I was looking for a way to update COSMOS DB document after receive a  request inside Azure Function without any COSMOS DB biding. I didn't find a way !!  I took another way. I don't know if it is the right or wrong way. But this way works for me. Scenario is very simple. We have sales orders arriving into the data base. We have another Azure function to insert those new orders. But suppose we need to cancel some order. How to do that using Azure Function ? Let´s start !!! Step 1. Sample Collection. This collection is very simple,  we are focused on results. Step 2. Create a Function and Select HttpTrigger template.  Step 3. Code  More code.  Step 4. Test Step 5. Results  See you soon