November 19th, 2024

Introducing Network Security Perimeter for Azure Cosmos DB: A New Way to Enhance Application Security

Iria Osara
Program Manager

Security is essential for any application, and we are pleased to announce the public preview of Azure Network Security Perimeter, a feature that lets Azure Cosmos DB customers enhance their application security by creating a logical network boundary that isolates your applications network from external networks, such as the internet. Network security perimeter provides an extra layer of security to block unauthorized access to your data.

Why use network security perimeter?

Azure Network Security Perimeter provides a secure perimeter for your PaaS services like Azure Cosmos DB that are deployed outside of your virtual network. Hence controlling access to your PaaS resources. Some of the reasons why you might want to use network security perimeter:

  • Restrict access to specific PaaS resources such as Azure Cognitive search, Azure Storage, etc.
  • With network service perimeter, you can set up firewall rules to allow filtering on private IP addresses.
  • Preventing data exfiltration by adding Azure Cosmos DB to the perimeter.
  • Ability to create a secure boundary between your Azure Cosmos DB accounts and or other PaaS services.
  • If you want to create inbound and outbound access rules to allow for communication outside your network security perimeter.

How it works

Azure Network Security Perimeter allows Azure PaaS resources to communicate within an explicit trusted boundary. External access can be limited based on network controls defined across all private link resources within a perimeter.

A screenshot of an overview of network security perimeter.

Some of the major features include:

  • Securing PaaS to PaaS communication: All resources inside perimeter can communicate with any other resource within the perimeter.
  • Public access control for PaaS services: For external access the following controls are available.
    • Public inbound access can be approved using Network and Identity attributes of the client such as source IP addresses, subscriptions, etc.
    • Public outbound can be approved using Fully Qualified Domain Names of the external destinations.
  • Access telemetry logging: Diagnostic logs are enabled for PaaS resources within perimeter for Audit and Compliance.
  • Complement private endpoints: Resources in Private Endpoints can additionally accept communication from customer virtual networks, both network security perimeter and Private Endpoints are independent controls.

Next Steps

In summary, network security perimeter complements what we currently have in place today, including private endpoint, which allows access to a private resource within the perimeter, and VNet injection, which enables managed VNet offerings to access resources within the perimeter. Learn more about how to Configure Network Security Perimeter in Azure Cosmos DB

About Azure Cosmos DB

Azure Cosmos DB is a fully managed and serverless distributed database for modern app development, with SLA-backed speed and availability, automatic and instant scalability, and support for open-source PostgreSQL, MongoDB, and Apache Cassandra. Try Azure Cosmos DB for free here. To stay in the loop on Azure Cosmos DB updates, follow us on X, YouTube, and LinkedIn

Author

Iria Osara
Program Manager

Iria is a Program Manager within the Azure Cosmos DB team. Iria is passionate about cloud computing, big data and helping the developer/data community understand more about Cosmos DB.

0 comments