Define ACL Rules for your Cache Instance
it would be great if we could further secure our Redis instance by defining the allowed IP addresses. Typically our cache is only accessed by our IIS application server therefore there is no need for the cache to be exposed to the public internet.
There are various things you can do now. You can deploy your cache into a VNET and have NSG rules restrict the traffic to what is desired. Please ensure to look at this so that you enable access to the required ports (https://docs.microsoft.com/en-us/azure/redis-cache/cache-how-to-premium-vnet#what-are-some-common-misconfiguration-issues-with-azure-redis-cache-and-vnets).
You can also use the firewall feature to configure firewall rules to restrict access to only certain IP addresses. You might find this (https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure#firewall) useful.
Geoffrey Jones commented
The vnet feature is great, but it is a shame that it is only available at the premium level.
The minimum premium size of P1 would cost us $570 (Australian) per month. To be competitive with running redis on a IaaS VM (which already has Network Security Groups or Endpoint ACL's for no extra cost) we would need to get the monthly cost under $100 (Australian).
Otherwise, we will continue to self-host Redis rather than use your PaaS offering.
Indeed, especially since we're having extreme performance issues when using SSL, we have no option but to use Redis cache without SSL. I can't think this actually follows all the various security standards Microsoft is awarded. Don't get me wrong, it's great that all the OTHER stuff is secure enough and holds high regards in various industries, this simply doesn't cut it.
It's a no go security wise and our only option is to run Redis instances as VMs which feels like going back to square one or -1 compared to AWS.
Will Mallouk commented
I totally agree. The first thing I looked for was the ACL and I couldn't find it.
I think that this is a CRITICAL important security feature, actually is not possible to restrict access for IP and this security breach can allow a DOS atack or a high brute force atack to the secret password, and there are no way to fight against this.