Containerapp nodejs application fails to connect to Azure Cosomos DB

Question

I have a nodejs application deployed in Azure as a containerApp. the app tries to connect to cosmosdb through a private link. The private link format:

testcosmosdb.privatelink.mongo.cosmos.azure.com

The connection string is sent as environment variable to the containerApp.

If i do the lookup of the privateendpoint like

nslookup testcosmosdb.privatelink.mongo.cosmos.azure.com

i get proper response:

Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
testcosmosdb.privatelink.mongo.cosmos.azure.com canonical name = ccd-ns-prod-westeurope1-fe1.westeurope.cloudapp.azure.com.
Name:   ccd-ns-prod-westeurope1-fe1.westeurope.cloudapp.azure.com
Address: 20.62.94.0

The connection string is in this format.

MONGODB_CONNECTION="mongodb://testcosmosdb:xR7xqQPOeMegN2LuXPVt5IUwb9HsGEyC0mkASzNwlmb6PEwehRkZCNpfrCxHHErqyP7lCXjxjWwACDbftND3w==@testcosmosdb.privatelink.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=@testcosmosdb@"

The app tries a GET request to the database to get a collection. The response is below error:

'testcosmosdb.privatelink.mongo.cosmos.azure.com:10255' => [ServerDescription]
    2023-07-11T14:00:08.069109163Z     },
    2023-07-11T14:00:08.069112216Z     stale: false,
    2023-07-11T14:00:08.069115209Z     compatible: true,
    2023-07-11T14:00:08.069118394Z     heartbeatFrequencyMS: 10000,
    2023-07-11T14:00:08.069121555Z     localThresholdMS: 15,
    2023-07-11T14:00:08.069124931Z     setName: 'globaldb',
    2023-07-11T14:00:08.069128236Z     maxElectionId: null,
    2023-07-11T14:00:08.069131453Z     maxSetVersion: null,
    2023-07-11T14:00:08.069134406Z     commonWireVersion: 0,
    2023-07-11T14:00:08.069137807Z     logicalSessionTimeoutMinutes: null
    2023-07-11T14:00:08.069140916Z   },
    2023-07-11T14:00:08.069143973Z   code: undefined,
    2023-07-11T14:00:08.069147047Z   [Symbol(errorLabels)]: Set(0) {}
    2023-07-11T14:00:08.069150861Z } [
    2023-07-11T14:00:08.069154135Z   "MongoServerSelectionError: Hostname/IP does not match certificate's altnames: Host: testcosmosdb.privatelink.mongo.cosmos.azure.com. is not in the cert's altnames: DNS:*.gremlin.cosmosdb.azure.com, DNS:*.cassandra.cosmosdb.azure.com, DNS:*.table.cosmosdb.azure.com, DNS:*.sql.cosmosdb.azure.com, DNS:*.etcd.cosmosdb.azure.com, DNS:*.gremlin.cosmos.azure.com, DNS:*.mongo.cosmos.azure.com, DNS:*.cassandra.cosmos.azure.com, DNS:*.table.cosmos.azure.com, DNS:*.sql.cosmos.azure.com, DNS:*.etcd.cosmos.azure.com, DNS:*.documents.azure.com",
    2023-07-11T14:00:08.069157771Z   '    at Timeout._onTimeout (/app/node_modules/mongodb/lib/sdam/topology.js:277:38)',
    2023-07-11T14:00:08.069161389Z   '    at listOnTimeout (node:internal/timers:559:17)',
    2023-07-11T14:00:08.069164941Z   '    at processTimers (node:internal/timers:502:7)'
    2023-07-11T14:00:08.069168492Z ]

Can anyone help here? Thanks

Answer 1

You must access the cosmos db by its public FQDN (testcosmosdb.privatelink.mongo.cosmos.azure.com) and it will be automatically translated by the Azure DNS provider (if correctly configured) to testcosmosdb.privatelink.mongo.cosmos.azure.com. This way your application will know the private IP of the private endpoint and connect to it directly.

You are trying to connect to the FQDN of the private endpoint and it returns error because its hostname does no match with the certificate binded to the cosmos db.

Make sure you also have a private DNS zone named privatelink.mongo.cosmos.azure.com associated to the private endpoint with DNS record pointing to the private endpoint IP for being able to resolve it properly (it seems to be returning the public IP rather then the private one).

Having all these requirements met, check it again using the public FQDN to make sure it is retrieving the private address and then it may works.