connectivity to Cosmos DB account using an access key and a private endpoint from an on-premises hosted service not working.

Parveen Lily 0 Reputation points

We currently have an issue we are facing with our Azure Cosmos DB configuration, specifically connectivity to the Cosmos DB account through a private endpoint from an on-premises service that is hosted on a VM. Despite confirming successful network connectivity and IP resolution using telnet and nslookup, we encountered a barrier when the service tried to connect to the DB using an access key. We were able to get the connect to work, however we had to update the Cosmos DB account to allow the IP of the VM. 


Here is a high-level overview of our current infrastructure configuration:


  • Our Cosmos DB account is configured to disallow public access, and a private endpoint has been enabled.
  • A peering connection has been established between the VNET containing the Private Endpoint and the Hub VNET. The Hub VNET has a connection to On-Premis set up.
  • Our connection to the Cosmos DB is secured using an access key.
  • We verified that we can telnet from the On-Premises VM's to the Private Endpoint IP on port 443
  • We also verified that the URL for the DB is resolving to the Private Endpoint IP.

Here are a few questions I have: 

  • Do we have to allow this IP in the Cosmos DB networking rules, or would it be possible to have just the private endpoint set up?
  • Is there an issue with the connection since we're trying to use an access key? 

Please let me know if you have any questions and I look forward to your response. 

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
460 questions
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,439 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ShaktiSingh-MSFT 13,271 Reputation points Microsoft Employee

    Parveen Lily

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Solution adopted was to get the DNS issues checked and solved.


    0 comments No comments