Skip to content

satonaoki/CosmosDbFirewallUpdater

BranchesTags

Repository files navigation

Cosmos DB Firewall Updater

"Cosmos DB Firewall Updater" is a small utility which updates IP firewall rules of Azure Cosmos DB account based on service tags. This is useful when you would like to restrict access to your Cosmos DB database from specific Azure services in specific Azure regions.

You can specify a list of servce tags. "Cosmos DB Firewall Updater" periodically (once per day) updates IP firewall rules with a list of IP addresses (or IP address prefixes) generated from the servce tags.

"Cosmos DB Firewall Updater" is implemented as a PowerShell function with a timer trigger running on Azure Functions.

Usage

  1. Create a Cosmos DB account.

  2. Create a function app.

    • Runtime stack: PowerShell Core

    Create a function app

  3. Create a system assigned managed identity for the function app.

    Create a managed identity

  4. Create a role assignment for the Azure subscription.

    • Role: Reader
    • Member: The managed identity of the function app

    Create a role assignment Create a role assignment

  5. Create a role assignment for the Cosmos DB account.

    • Role: Cosmos DB Operator
    • Member: The managed identity of the function app

    Create a role assignment Create a role assignment

  6. Verify role assignments to the managed identity.

    Verify role assignments Verify role assignments

  7. Add application settings to the function app

    Name Value Example Note
    SubscriptionId ID of Azure subscription 326b86f3-0ec3-41f7-b058-623b4bc0253f
    CosmosDbResourceGroup Resoruce group name of Cosnmos DB account myrg
    CosmosDbAccount Cosnmos DB account name mycosmosdb
    AllowedServiceTags List of service tags AzureConnectors.JapanEast,AzureConnectors.JapanWest Commma-separated list (without spaces) or empty. See this site.
    AzurePortalIpAddresses List of Azure Portal IP addresses 104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26 Commma-separated list (without spaces) taken from this table or empty
    AdditionalIpAddresses List of additonal IP addresses 1.1.1.1,2.2.2.2,3.3.3.3 Commma-separated list (without spaces) or empty

    Add application settings

  8. Open this GitHub repo in Visual Stuido Code, and deploy the PowerShell function to the function app.

    Deploy the PowerShell function

  9. Test the function in Azure Portal.

    Deploy the PowerShell function Deploy the PowerShell function

  10. Check the status of the Cosmos DB account. The status is "Updating" while the update of the IP firewall rules is in progress.

    Check the status

  11. After the status is back to "Online", verify the IP firewall rules.

    Check the status

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages