Limit Redis cache number of IP addresses
March 21, 2025 ยท View on GitHub
SYNOPSIS
Determine if there is an excessive number of permitted IP addresses for the Redis cache.
DESCRIPTION
When using Azure Cache for Redis, injected into a VNET you are able to create firewall rules to limit access to the cache. Each firewall rules specifies a range of IP addresses that are allowed to access the cache.
If no firewall rules are set and public access is not disabled, then all IP addresses are allowed to access the cache. By default, the cache is configured to allow access from all IP addresses.
Consider using private endpoints to limit access to the cache. If this is not possible, use firewall rules to limit access to the cache. However, avoid using overly permissive firewall rules that are:
- Not needed.
- Too broad.
- Too many.
RECOMMENDATION
The Redis cache has greater than ten (10) public IP addresses that are permitted network access. Some rules may not be needed or can be reduced.
EXAMPLES
Configure with Azure template
To deploy caches that pass this rule:
- Set the
properties.startIPproperty to the start of the IP address range. - Set the
properties.endIPproperty to the end of the IP address range. - Limit the range of public IP address included in rules.
{
"type": "Microsoft.Cache/redis/firewallRules",
"apiVersion": "2023-04-01",
"name": "[format('{0}/{1}', parameters('name'), 'allow-on-premises')]",
"properties": {
"startIP": "10.0.1.1",
"endIP": "10.0.1.31"
},
"dependsOn": [
"cache"
]
}
Configure with Bicep
To deploy caches that pass this rule:
- Set the
properties.startIPproperty to the start of the IP address range. - Set the
properties.endIPproperty to the end of the IP address range. - Limit the range of public IP address included in rules.
resource rule 'Microsoft.Cache/redis/firewallRules@2023-04-01' = {
parent: cache
name: 'allow-on-premises'
properties: {
startIP: '10.0.1.1'
endIP: '10.0.1.31'
}
}
NOTES
This rule is not applicable when Redis is configured to allow private connectivity by setting properties.publicNetworkAccess to Disabled.
Firewall rules can be used with VNET injected caches, but not private endpoints.