0

I have a Node Js app which interacts with CosmosDB and which is deployed to a private AKS cluster. I was able to connect to Cosmos DB through a service endpoint in the Cluster VNET/subnet for Cosmos DB by enabling 'selected networks' in Cosmos DB.

I am now trying to close it to private access only via private endpoints.

I disabled public access / so no 'selected networks' any more.

I created a private endpoint and private link to Cosmos DB and integrated it with a Private DNS Zone that is in the same resource group as the Cluster VNET and uses one of the VNET subnets.

When I do nslookup in the cluster from a test pod I can see that the cosmosname.documents.azure.com URI has canonical name = cosmosname.privatelink.documents.azure.com. The address however is a different IP address than the ones in the DNS zone records.

When I try to run the app, I get the error:

Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings.

What can I do to fix this?

David Makogon
  • 69,407
  • 21
  • 141
  • 189
floaty39
  • 47
  • 4
  • This seems more appropriate for [sf], as it's infrastructure and not programming – David Makogon May 23 '23 at 22:16
  • It's a very similar question to this one which never had a suitable answer: https://stackoverflow.com/questions/71639169/request-originated-from-vnet-through-service-endpoint-this-is-blocked-by-your-c But I have also now made a second post on Server Fault. – floaty39 May 24 '23 at 06:41
  • Did you link the private DNS zone to your vnet? – NotFound May 24 '23 at 10:55
  • @NotFound Yes, I created a link between the Private DNS Zone and the Cluster VNET and Subnet. – floaty39 May 24 '23 at 13:57
  • And the exact name of the private DNS zone is `privatelink.documents.azure.com` with the record being named `cosmosname` (I assume a placeholder, but your cosmos db name). – NotFound May 24 '23 at 14:46
  • Yes that's the name of the private DNS zone @NotFound – floaty39 May 24 '23 at 19:43

1 Answers1

0

I solved this problem because there was a separate DNS Zone subscription that records needed to be created in. There was a policy preventing the DNS Zones in the Cluster subscription from being used.

floaty39
  • 47
  • 4