I am trying to secure my cosmos db account with a firewall in my arm template. I have used the portal to see how I should edit the template.
In the portal, I have selected the tickbox "Accept connections from within public Azure datacenters" and "Allow access from Azure Portal". This adds the following IP addresses to the ipRangeFilter property.
104.42.195.92
40.76.54.131
52.176.6.30
52.169.50.45
52.187.184.26
0.0.0.0
Can I hardcode these IPs in the arm template, or will they change in the future? Apart from 0.0.0.0 I suspect they would change. If so, how can I automatically add these IPs to the firewall whitelist without going to the portal?
Thanks
Access Azure Cosmos DB Explorer Sign in to Azure portal. From All resources, find and navigate to your Azure Cosmos DB account, select Keys, and copy the Primary Connection String. Go to https://cosmos.azure.com/, paste the connection string and select Connect.
The support for cosmos DB accounts using Azure storage explorer will be deprecated in future versions that is why you can see deprecated is showing besides cosmos DB accounts option.
Azure Cosmos DB account connectionSelect New, then choose Azure Cosmos DB Account and the Database account you created earlier, and then select OK. Creates an application setting for your account connection. This setting is used by the binding to connection to the database. Select OK to create the binding.
Azure Cosmos DB is Microsoft's globally distributed multi-model database service. You can communicate with the Azure Cosmos DB's API for MongoDB using any of the open-source MongoDB client drivers. The Azure Cosmos DB's API for MongoDB enables the use of existing client drivers by adhering to the MongoDB wire protocol.
The Portal IPs are documented here
| Region            | IP address |
| Germany           | 51.4.229.218
| China             | 139.217.8.252
| US Gov            | 52.244.48.71
| All other regions | 104.42.195.92,40.76.54.131,52.176.6.30,52.169.50.45,52.187.184.26
The 0.0.0.0 IP is to allow any other Azure Service (which includes the Portal, since it runs on Azure) to access the account as described here.
This option configures the firewall to allow all requests from Azure, including requests from the subscriptions of other customers deployed in Azure. The list of IPs allowed by this option is wide, so it limits the effectiveness of a firewall policy. Use this option only if your requests don’t originate from static IPs or subnets in virtual networks. Choosing this option automatically allows access from the Azure portal because the Azure portal is deployed in Azure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With