Hi,
Can I connect to Cosmos DB via a VPN Gateway without adding my public IP to the firewall?
I'm working from home (laptop) and connect to CosmosDB and SQL server instances during development. I connect using the public IP. The drawback is that I currently don't have a fixed IP and I need to update the firewall almost every day (CosmosDB takes some time to update).
I hoped that a VPN connection to an Azure virtual network would solve the problem and also improve security as I could shut down public access. So I created a VPN Gateway and a Virtual Network (vnet), but I can't get it working because it still uses the public IP from the laptop, and the request is denied.
MongoServerError: Error=13, Details='Request originated from IP xx.xx.xx.xx through public internet. This is blocked by your Cosmos DB account firewall settings. More info: https://aka.ms/cosmosdb-tsg-forbidden
Here is my setup
The CosmosDB and SQL server databases are connected to the vnet (let's call it vnetX) using a private endpoint. I also have a VM on a different vnet (vnetY). I peered vnetX with vnetY and I can connect with ssh to the VM using the private IP, so I know the gateway and vnet works. When I do echo $SSH_CLIENT
when I'm connected to the VM I get the private IP the laptop is assigned from the VPN Gateway. I've mapped the addresses of the databases to their private IPs in my hosts file.
Laptop -> VPN Gateway -> vnetX
Cosmos DB -> Private endpoint -> vnetX
SQL server -> Private endpoint -> vnetX
VM -> vnetY -> vnetX
I connect from a Pop_OS! laptop using the build in OpenVPN-client. I would like to be able to use mongosh
and sqlcmd
to connect to the database.
Adding my public IP to the firewall kind of defeats the purpose of the VPN. So is there a way to connect to Cosmos DB and SQL server using VPN, without adding my public IP to the firewall?