Score:0

CosmosDB with private endpoint causes 'request originated from VNET through service endpoint' error?

za flag

I have a Node Js app which interacts with CosmosDB and which is deployed to a private AKS cluster. I was able to connect to Cosmos DB through a service endpoint in the Cluster VNET/subnet for Cosmos DB by enabling 'selected networks' in Cosmos DB.

I am now trying to close it to private access only via private endpoints.

I disabled public access / so no 'selected networks' any more.

I created a private endpoint and private link to Cosmos DB and integrated it with a Private DNS Zone that is in the same resource group as the Cluster VNET and uses one of the VNET subnets.

When I do nslookup in the cluster from a test pod I can see that the cosmosname.documents.azure.com URI has canonical name = cosmosname.privatelink.documents.azure.com. The address however is a different IP address than the ones in the DNS zone records.

When I try to run the app, I get the error:

Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings. What can I do to fix this?

ng flag
Is the IP you are getting back when you do nslookup a public, or private IP?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.