This blog was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking and Sumeet Mittal, Program Manager, Azure Networking.
Azure Cosmos DB is Microsoft's globally distributed, multi-model database service for mission-critical applications. Azure Cosmos DB provides turnkey global distribution, elastic scaling of throughput and storage worldwide, single-digit millisecond latencies at the 99th percentile, five well-defined consistency models, and guaranteed high availability, all backed by industry-leading comprehensive SLAs. Azure Cosmos DB automatically indexes all your data without requiring you to deal with schema or index management. It is a multi-model service and supports document, key-value, graph, and column-family data models.
Improved security capabilities
We are excited to announce the general availability of Virtual Network Service Endpoints for Azure Cosmos DB. Azure Cosmos DB uses Virtual Network Service Endpoints to create network rules that allow traffic only from selected Virtual Network and subnets. This feature is now available in all regions of Azure public cloud.
Customers can combine existing authorization mechanisms like Firewall Access Control List (ACL) with the new network boundaries to provide an enhanced security for their data. Azure Cosmos DB is the first service to allow cross region access control support where customer can restrict access to globally distributed Azure Cosmos DB accounts from subnets located in multiple regions.
To use this feature, you need to enable service endpoint for Azure Cosmos DB for the subnet of a Virtual Network. As in the below case, we are enabling the Service Endpoint (Microsoft.AzureCosmosDB) for backend subnet of virtual network gskvneteast.
Now the Subnet backend has the Azure CosmosDB service endpoint enabled.
Then, from your Azure Cosmos DB account, you can allow access to one or more subnets of a virtual network. A detailed explanation on how to enable the network functionality can be found at Configure Azure CosmosDB Virtual Networks. Below we are allowing enabling access from the backend subnet of the gskvneteast virtual network to gskdemovnet account.
This ensures your account gskdemovnet can be accessed from backend subnet of gskvneteast virtual network. You can add other subnets of different virtual networks too if you need or just add new virtual network from the portal interface. These actions can be performed using powershell script.
Conclusion
Crucial point here is to note that your Azure Cosmos DB account is globally distributed and with this capability you can enforce ACL on certain subnets from any region. All the good things you love with Cosmos DB for automatic or manual failover, schema less indexing, consistency guarantees everything remains same. You get an additional security layer for your accounts with this new capability apart from IP Firewall capabilities. This capability is equally applicable to multi-master/active-active writes private preview feature.
In this release this capability will be enabled for SQL API and Azure Cosmos DB for MongoDB API in public cloud regions. Very soon other APIs of Cosmos DB will be enabled for this feature.
Next steps
To get started, refer to the documentation Virtual Network Service Endpoints and Configure Azure CosmosDB Virtual Networks.
Our mission is to be the most trusted database service in the world and to enable you to build amazingly powerful, planet-scale apps, more easily. Try out Service endpoints and other new capabilities in Azure Cosmos DB and let us know what you think! If you need any help or have questions or feedback, reach out to us by emailing askcosmosdb@microsoft.com. Stay up-to-date on the latest Azure Cosmos DB news and features by following us on Twitter @AzureCosmosDB, #CosmosDB. We are excited to see what you build with Azure Cosmos DB.
— Your friends at Azure Cosmos DB