Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,132 questions
How to configure VNET to protect cosmos DB but allow access from public Azure App Service Web App using bicep
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Siegfried Heintze
1,861
Reputation points
My bicep script creates a cosmos db and azure app service web app that accesses the cosmos db.
The web app must be available to the public internet but the cosmos db should only be available to the specified IPs of a few developers and the web app.
Can someone point me to a tutorial on how enhance my bicep script to protect my cosmos db with a VNET?
Thanks
Siegfried
2022 Apr 26 Update:
I think I found the solution here: stack overflow and I tried (and failed) to implement it here: deploy.bicep
Line 313 looked like this:
virtualNetworkSubnetId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().id}/providers/Microsoft.Network/virtualNetworks/${virtualNetworkName_resource.name}/subnets/${virtualNetworkName_resource.properties.subnets[0].name}'
I got this error:
ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{
\"Code\": \"BadRequest\",
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\",
\"Target\": null,
\"Details\": [
{
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\"
},
{
\"Code\": \"BadRequest\"
},
{
\"ErrorEntity\": {
\"ExtendedCode\": \"51008\",
\"MessageTemplate\": \"The parameter {0} has an invalid value.\",
\"Parameters\": [
\"SubnetResourceUri\"
],
\"Code\": \"BadRequest\",
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\"
}
}
],
\"Innererror\": null
I have since changed the last part to .../subnets/${subnetname} (as in the link) but that did not help (similar error message).
** 2022 May 5 Thu Update:**
I have created azure support incident to further pursue this problem.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Anurag Sharma 17,566 Reputation points2022-04-18T08:21:38.637+00:00 Hi @Siegfried Heintze , welcome to Microsoft Q&A forum.
It seems you want to use bicep template to create Azure Cosmos DB with Virtual Network enabled through private end points.
PFA the required script:
Please let us know if the requirement is different and we can work to enhance the template accordingly.
-
Siegfried Heintze 1,861 Reputation points
2022-04-21T18:22:31.127+00:00 Thanks... I ran your script and now I see some new fancy end point icons and I don't know what to do with them...
I see a private end point and a regular network network interface...
After looking at how-to-configure-private-endpoints I'm guessing I need powershell or azure cli to translate them... Can this translation be part of an automated deployment with Github? Maybe with bicep instead of powershell?
Perhaps there is another bicep step to translate them and then store the end point in an appConfig or KeyVault so my C# code can fetch them and use the CosmosClient to connect? Is there an example of this somewhere?
-
Siegfried Heintze 1,861 Reputation points
2022-04-25T23:30:49.047+00:00 Please see my deploy.bicep that I have enhanced... Previously (without VNETs) I could deploy to azure and write to the cosmos database successfully with RBAC protection... Now I cannot... Please help me understand what I need to modify so my azure resident web app can write to the cosmos database again. Perhaps I need to include the webapp in the VNET?
Here is the error message I get:
Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: 36b85649-d9e4-493f-9755-8aef38a9db47; Reason: (Request originated from IP 20.69.64.79 through public internet. This is blocked by your Cosmos DB account firewall settings. More info: https://aka.ms/cosmosdb-tsg-forbidden ActivityId: 36b85649-d9e4-493f-9755-8aef38a9db47, Microsoft.Azure.Documents.Common/2.14.0, Linux/10 cosmos-netstandard-sdk/3.24.1);
After we get this VNET working, will it be possible to my webapp locally on my development laptop and still access the cosmos db?
Sign in to comment