From the course: Microsoft Azure Cosmos DB Developer Specialty (DP-420) Cert Prep by Microsoft Press

Configure network-level access control for Azure Cosmos DB

From the course: Microsoft Azure Cosmos DB Developer Specialty (DP-420) Cert Prep by Microsoft Press

Start my 1-month free trial Buy for my team

Configure network-level access control for Azure Cosmos DB

- [Instructor] All right, this is a big focus of the exam. You might think, "Well, wait a minute now. I thought that this certification was about application development. I know practically nothing about software-defined networking." Well, this may be your big challenge then in your prep, because there is quite a bit of this networking stuff and scope. I mean, this lesson is about security. We're concerned about network access, inbound and outbound. And we also have to keep in mind that we're not dealing with Cosmos DB in the realm of, say, Azure Stack Hub, where you've got an air-gapped environment. We're talking about using the Azure commercial multi-tenant cloud. So, it's critical that you know these technologies. First, we have the resource firewall. Let me bring out my drawing tools here. The default, unless you specify otherwise, is for your Cosmos account to be available on the internet. And so that would be public network access all networks. Now, does that mean that it's anonymous authentication? Of course not. You authenticate in a number of different ways. We'll review those actually momentarily in this lesson. If you want to restrict access, you can use the IP list called the resource firewall. We can say selected networks, and then we have this IP address range, where you can put in single or CIDR IPv4 addresses. This is not particularly scalable though, of course, because that means if you've got remote developers, you're going to have to create firewall exceptions for all of their public IPs. And, you know, if you work with a residential internet service provider, the likelihood of you having a static public IP is low. So that means that when you get a new public IP, you need another access on the resource firewall. It can be pretty annoying, for sure. There's some exceptions down here where you can say, "Accept connections from within the Azure data center fabric, as well as allowing access from Azure Portal." That can help so developers at least can get to the Azure Resource Manager control plane. And then for the data plane, there's the Data Explorer. But this is important to think about. There's also a Disabled option, as you can see. Well, if Cosmos DB sits on the internet by default, if we disable all inbound from the internet, then how in the world can you make a connection to the account? It's a reasonable question. The answer to that is with private endpoint. This is a big deal in Azure. You really should know about this just for your general success with Azure. And private endpoint provides a way for your people, that is your developers and your architects and your infrastructure people, to communicate with Cosmos over a private IP. Now, this isn't necessarily your customers and your customer application, although it could be, at least from the application standpoint. Bottom line is you need a back channel using the Azure backbone network to communicate securely with Cosmos without exposing the internet. I mean, another idea that just came to my mind is maybe you have a site-to-site VPN or an express route circuit, and this is an internal line of business application running in Azure. That would be a case where you would want to use private endpoint. It's recommended strongly that you use the Azure DNS private zone for name resolution because what happens, let me again bring my drawing tools out, is when you create a private endpoint, you define that on a per subnet level in one or more of your Azure virtual networks, all right? Azure creates a virtual network interface card for that private endpoint, and therefore it'll pick up a private non-internet routable IP address from the Azure wire server, or Azure DHCP, Dynamic Host Configuration protocol. So, the question then is, how do you connect to Cosmos? We're accustomed to using a DNS name. Will you continue to use a DNS name? It's just that your point is how do you resolve that public DNS name to a private IP address? Now, there's at least three options. One, you can handle DNS entirely on your own. Two, you can use Azure DNS private zone. And when you do that, let me come back to the slides, you get a non-internet accessible zone called privatelink.documents.azure.com, and that's where your private endpoint will register the public DNS name and the private IP address of the Cosmos DB account. Now, there is a third option, and that is the Azure DNS Private Resolver. And that is a way, especially in a hybrid scenario, hybrid cloud scenario, for you to more efficiently resolve that private IP. We don't need to go too far down the rabbit hole on that, and the Azure DNS private resolver as of this recording in fall 2022, it's in preview anyway, but it's something that you'll want to look at. Now, if you are familiar with software-defined networking and Azure VNets, you're probably thinking, "Well, what if we have network security groups or NSG firewalls on that subnet?" Historically, private endpoints were immune to NSG rules, but nowadays, you can, in fact, create an NSG private endpoint network policy that allows you to more granularly scope, restrict traffic to and from the private endpoint. So, long story short, the high level view is that you're in a situation where, say, you're in a hybrid cloud and you need to communicate with Cosmos DB, but your requirement is not to come in over the internet, but come in through the Azure Backbone network. You create your private endpoint in your hub virtual network. It's recommended that you use Azure Private DNS to handle name resolution. In a hybrid scenario, I would definitely look at the Azure DNS Private Resolver. And then lastly, you don't have to change the connection strings. You'll still make calls to the Azure Cosmos DB account's public DNS, but the private resolution will be handled by Azure, okay? I'll go into a little bit more depth on that in the demo.

Contents