---
title: Firewall rule allows too many hosts to access Redis Cache
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Firewall rule allows too many hosts to access
  Redis Cache
---

# Firewall rule allows too many hosts to access Redis Cache

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-azure-firewall-rule-allows-too-many-hosts-to-access-redis-cache` 

**Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html)

### Description{% #description %}

Redis Cache firewall rules should restrict the IP address range to minimize attack surface and prevent broad network access that could allow unauthorized access or lateral movement.

In Ansible, tasks using `azure.azcollection.azure_rm_rediscachefirewallrule` or `azure_rm_rediscachefirewallrule` must set `start_ip_address` and `end_ip_address` so the numeric range covers at most 255 hosts. Any rule where the computed range (`abs(end - start)`) is greater than 255 is flagged.

Resources missing these properties or defining overly large ranges should be tightened to a single IP or a narrow range. Alternatively, replace them with network-level controls such as private endpoints or service endpoints to limit access.

Secure example with a small allowed range:

```yaml
- name: Allow small Redis access range
  azure.azcollection.azure_rm_rediscachefirewallrule:
    resource_group: my-rg
    name: my-redis
    start_ip_address: 10.0.0.10
    end_ip_address: 10.0.0.20
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: reduced_hosts
  azure_rm_rediscachefirewallrule:
    resource_group: myResourceGroup
    cache_name: myRedisCache
    name: myRule
    start_ip_address: 192.168.1.1
    end_ip_address: 192.168.1.4
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: too_many_hosts
  azure_rm_rediscachefirewallrule:
      resource_group: myResourceGroup
      cache_name: myRedisCache
      name: myRule
      start_ip_address: 192.168.1.1
      end_ip_address: 192.169.1.4
```