Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0069

An internet-reachable Azure Cache for Redis puts live session tokens one leaked key from exposure

A cache that usually holds session tokens and hot application data is reachable from the internet, and an access key is the only thing standing in the way.

Footgun ID
AZF-0069 (Azure Footgun No. 69)
Azure service
Azure Cache for Redis
Resource type
Microsoft.Cache/redis
Updated
July 9, 2026

What it is

An Azure Cache for Redis instance with publicNetworkAccess set to Enabled, so the cache answers on a public internet endpoint. Anyone who obtains an access key can read and write everything in it, and for most applications "everything" means session tokens, authentication state, and hot copies of database rows. The cache gets treated as plumbing, but it holds live security material.

Impact (security)
Session tokens, auth state, and cached data reachable from any internet address, with an access key as the only barrier
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

publicNetworkAccess defaults to Enabled on Azure Cache for Redis, and the quickest path to a working cache is the one that never touches networking settings. Caches tend to get created early in a project, when the priority is "app connects, latency is low," and the mental model is that a cache is disposable infrastructure rather than a data store.

Moving to a private endpoint requires VNet and private DNS work that feels disproportionate for "just a cache," so nobody circles back. The result is a public endpoint protected only by access keys, which are long-lived, shared by every client, and routinely pasted into connection strings, app settings, and CI variables.

What it costs / blast radius

Think about what actually lives in the cache. Session tokens mean account takeover without touching a password. Cached query results mean data disclosure from a resource that never appears in a data-classification review. An access key grants full data-plane access with no per-user identity behind it, so if a key leaks you get no answer to "who read what."

Public reachability turns every key leak from a theoretical problem into an internet-wide one: the attacker doesn't need a foothold in your network, just the hostname and the key. (Authored assessment of Azure behavior; exposure depends on what your application caches.)

See it

Footgun: the cache answers on a public endpoint (also the default when omitted)
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: 'app-cache'
  location: location
  properties: {
    sku: { name: 'Standard', family: 'C', capacity: 1 }
    publicNetworkAccess: 'Enabled'   // default when not set
  }
}
Fix: disable public network access and connect through a private endpoint
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
  name: 'app-cache'
  location: location
  properties: {
    sku: { name: 'Standard', family: 'C', capacity: 1 }
    publicNetworkAccess: 'Disabled'
  }
}

resource cachePe 'Microsoft.Network/privateEndpoints@2023-09-01' = {
  name: 'app-cache-pe'
  location: location
  properties: {
    subnet: { id: appSubnetId }
    privateLinkServiceConnections: [
      {
        name: 'app-cache-plsc'
        properties: {
          privateLinkServiceId: cache.id
          groupIds: ['redisCache']
        }
      }
    ]
  }
}

How StratoLens helps

StratoLens flags every Redis cache with public network access enabled, automatically and continuously, across every subscription in your tenant. The cache someone stood up two years ago in a subscription nobody opens gets the same scrutiny as the one you built last week, and it runs inside your own tenant, so the findings never leave your environment.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.