Skip to main content
Back to the Azure Footguns Database
SecurityCriticalOccasionalAZF-0028

Cosmos DB with public network access enabled puts your database on the internet

A Cosmos DB account with publicNetworkAccess set to Enabled accepts connections from the public internet. A private endpoint does not turn this off.

Footgun ID
AZF-0028 (Azure Footgun No. 28)
Azure service
Azure Cosmos DB
Resource type
Microsoft.DocumentDB/databaseAccounts
Updated
July 1, 2026

What it is

A Cosmos DB account whose publicNetworkAccess property is set to Enabled, exposing its data-plane endpoint to the public internet. Anyone who can reach the endpoint and holds a key or token can read and write every database and container in the account, no matter which network they connect from.

Impact (security)
Every database in the account reachable from any network, gated only by keys
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

publicNetworkAccess defaults to Enabled when you create a Cosmos DB account. Locking it down is a separate, deliberate step, and it is easy to skip when a team is focused on getting the app talking to the database.

The trap that catches careful teams is that adding a private endpoint does not disable public access. You wire up Private Link, assume the account is now private, and the public endpoint stays open the whole time because the two settings are independent. Nothing in the portal flags the contradiction, so an account can sit "behind" a private endpoint and still answer the internet.

What it costs / blast radius

The blast radius is the entire account: every database, container, and document, reachable from any network. (Azure behavior; authored assessment.) Access is gated only by keys or tokens, so a leaked connection string, a key committed to a repo, or a token pulled from a compromised app becomes a direct path to your data with no network boundary in the way. Cosmos DB stores primary keys that grant full account access, which makes the exposed surface unusually high value.

See it

Footgun: public network access left Enabled (the create-time default)
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
  name: 'corp-cosmos'
  location: location
  kind: 'GlobalDocumentDB'
  properties: {
    databaseAccountOfferType: 'Standard'
    publicNetworkAccess: 'Enabled'   // reachable from the internet, keys are the only gate
    locations: [ { locationName: location } ]
  }
}
Fix: disable public network access and reach the account over Private Link
resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2024-05-15' = {
  name: 'corp-cosmos'
  location: location
  kind: 'GlobalDocumentDB'
  properties: {
    databaseAccountOfferType: 'Standard'
    publicNetworkAccess: 'Disabled'  // the public endpoint stops answering
    locations: [ { locationName: location } ]
  }
}
// A private endpoint is required for private access, but note:
// adding one does NOT flip publicNetworkAccess for you. Set both.

How StratoLens helps

StratoLens flags Cosmos DB accounts with public network access enabled automatically, continuously, across every subscription in your tenant, and catches the setting silently flipping back to Enabled after someone tightens it. You find out that the database is on the internet before an attacker does, not during the incident review.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.