How to set up a private link between Container Instance and MongoDB database in Cosmos DB

Chayapan Khannabha 20 Reputation points
2024-01-23T05:50:38.1566667+00:00

I'm trying to configure private link for MongoDB inside Cosmos DB. It was recommended to use Private Endpoint to achieve this goal, however I'm unable to find a working example. What is required for connecting from a container in another subnet? In the dialog to create the private endpoint, the private DNS integration it says I need DNS record for connection. In the NIC details page I have the IP address for the private endpoint, but when making connection from the container, do I use the DNS record in privatelink.mongo.cosmos.azure.com or the one in the connection string from MongoDB configuration page? pe1_1

pe1_2

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
610 questions
{count} votes

Accepted answer
  1. rilopes-MSFT 160 Reputation points Microsoft Employee
    2024-02-02T11:25:00.88+00:00

    Hi @Chayapan Khannabha to connect using private point you should continue to use same same destination FQDN/URL from the connection string. The Azure DNS will make the translation to the private DNS record and the private IP if the private DNS zone is properly configured and linked to the VNET.
    Assuming that the ACI and the Private endpoints are in the same subnet, the Private DNS Zone should be already linked to the ACI VNET. If you are using the default DNS server on the VNET, then the resolution should work, if you have curl command in your ACI image you can run "curl -v <URL>" it will show you the IP resolved. If you have a custom DNS server on the ACI VNET, then that DNS Server must forward the request to Azure DNS, and your private DNS zone will be linked to the same VNET where your DNS server is located.
    The following documentation explain this with detailed examples: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration
    Hope this helps.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Chayapan Khannabha 20 Reputation points
    2024-02-02T04:26:52.5833333+00:00

    Hi @kobulloc-MSFT . Thank you for pointing out the relevant documents for running Container Instance in Azure and the limitations on virtual network. I imaged that a Container group is the same as an App Service application so I thought connection from client to Cosmos DB would work the same way.

    To reformulate the question that was on clear at the beginning, the situation is:

    1. there is a Cosmos DB - MongoDB instance that public access is disabled.
    2. several App Service application in a single virtual network has to access the database instance.
    3. a Container group deployment might need to access the database instance as well. The key question is how to test if the DNS configuration for the private endpoint is correct. That is the app services and the containers connect to MongoDB using a private endpoint per this documentation. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints?tabs=arm-bicep#update-a-private-endpoint-when-you-add-or-remove-a-region What is the steps to verify the set up if one does not use private DNS zone group?
    0 comments No comments