Azure Private Link access to a CosmosDB for MongoDB database from a peered VNET

237 views Asked by At

I am trying to configure an Azure Private Link access to a CosmosDB for MongoDB database from a different peered network but this is not working for me. I have the exact same configuration for a SQL Server database and this works fine.

I configure the Private Endpoint for my CosmosDB database located in vnet1 with a private DNS zone exactly as instructed by this link https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints?tabs=arm-bicep

In vnet2 I configured the peering to the vnet1 and checked all the possible options includig the Gateway Transit. I linked the Private DNS zone to this vnet2 too.

With this configuration I cannot connect to the CosmosDB from a VM located in the vm2. If I telnet to my CosmosDB private IP it workd fine, but using the Mongo Shell I get a "Request blocked by network firewall" error, either by using the CosmosDB name or its IP.

If I configure the CosmosDB public access to the vnet2 the connection works, but I undestand that this way I am not using the private link as I want.

After solving this problem, I also want to allow Point-to-Site VPN clients to access this CosmosDB. This VPN clients are connecting to a Point-to-Site VPN configured in a Virtual Network Gateway in the vnet2. This is working fine to me when I try to connect to SQL Server, but for CosmosDB is not. My SQL Server has public access disabled so I believe it is really using its Private Link.

Does anyone have any idea of what might be happening here? Is this configuration possible?

I tried to connect to my CosmosDB database by using the Mongo Shell from a VM in vnet2 with the public access disabled and this does not work, the "Request blocked by network firewall" error happend.

If I enable public access allowing just vnet2 it works fine, but this is not what I want, I would like to use the Private Link and I think that allowing any public access I am not achieving that.

I also tried to connect to CosmosDB from a client connected to the Point-to-Site VPN. From this client I cannot connect even with Public Access enabled for vnet2 configured. I works only if I allow my specific public address, which is something that I would like to avoid. This VPN clients are actually my development workstations I would really like them to be able to connect to this CosmosDB without having to always allow each specific IP.

1

There are 1 answers

1
Marcelo Noga On

Problem solved. In the end it was just a DNS issue.

I have a Windows Server in my vnet2 (the VPN vnet) where I configured the DNS service to resolve the names for my VPN clients. This DNS service was configured with Conditional Forwarders to forward the requests of specific domains to another DNS server in vnet1 with a default forwarder to the Azure DNS. I remember that I saw this configuration somewhere in the Internet and it was working initially.

But I found another way to make this configuration that it is easier and it works perfectly:

  • I deleted all the conditional forwarders and configure the Azure DNS as a default forwarder in the Windows DNS in vnet2.
  • I also linked my private DNS zones to the vnet2, they were previously only linked to my vnet1.

This is much easier and solved my problem.