What it is
An Azure Cache for Redis instance with publicNetworkAccess set to Enabled, so the cache answers on a public internet endpoint. Anyone who obtains an access key can read and write everything in it, and for most applications "everything" means session tokens, authentication state, and hot copies of database rows. The cache gets treated as plumbing, but it holds live security material.
Why it happens
publicNetworkAccess defaults to Enabled on Azure Cache for Redis, and the quickest path to a working cache is the one that never touches networking settings. Caches tend to get created early in a project, when the priority is "app connects, latency is low," and the mental model is that a cache is disposable infrastructure rather than a data store.
Moving to a private endpoint requires VNet and private DNS work that feels disproportionate for "just a cache," so nobody circles back. The result is a public endpoint protected only by access keys, which are long-lived, shared by every client, and routinely pasted into connection strings, app settings, and CI variables.
What it costs / blast radius
Think about what actually lives in the cache. Session tokens mean account takeover without touching a password. Cached query results mean data disclosure from a resource that never appears in a data-classification review. An access key grants full data-plane access with no per-user identity behind it, so if a key leaks you get no answer to "who read what."
Public reachability turns every key leak from a theoretical problem into an internet-wide one: the attacker doesn't need a foothold in your network, just the hostname and the key. (Authored assessment of Azure behavior; exposure depends on what your application caches.)
See it
resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: 'app-cache'
location: location
properties: {
sku: { name: 'Standard', family: 'C', capacity: 1 }
publicNetworkAccess: 'Enabled' // default when not set
}
}resource cache 'Microsoft.Cache/redis@2024-03-01' = {
name: 'app-cache'
location: location
properties: {
sku: { name: 'Standard', family: 'C', capacity: 1 }
publicNetworkAccess: 'Disabled'
}
}
resource cachePe 'Microsoft.Network/privateEndpoints@2023-09-01' = {
name: 'app-cache-pe'
location: location
properties: {
subnet: { id: appSubnetId }
privateLinkServiceConnections: [
{
name: 'app-cache-plsc'
properties: {
privateLinkServiceId: cache.id
groupIds: ['redisCache']
}
}
]
}
}How StratoLens helps
StratoLens flags every Redis cache with public network access enabled, automatically and continuously, across every subscription in your tenant. The cache someone stood up two years ago in a subscription nobody opens gets the same scrutiny as the one you built last week, and it runs inside your own tenant, so the findings never leave your environment.