How to securely connect azure static web app with cosmos mongo db?

Question

How to securely connect azure static web app with cosmos mongo db?

Sunny Chawla 0

I need to securely connect Azure static web app with Azure cosmos mongo db. I have tried creating private endpoint also tried creating app service. But still struggling with connecting the web application code with azure cosmos mongo db.

This connection works perfectly in development environment.

Please provide detailed steps and help resolve the issue.

Shree Hima Bindu Maganti 4,155 Reputation points Microsoft External Staff Moderator

2025-05-08T12:13:02.6166667+00:00
Hi @Sunny Chawla
To securely connect an Azure Static Web App with Azure Cosmos DB using the MongoDB API,

Ensure your Azure Cosmos DB allows access from your Azure Static Web App. Configure your Cosmos DB account to permit connections from all networks or specific IP addresses.

Create a private endpoint for your Azure Cosmos DB to enable secure access within your virtual network.

Use Azure Key Vault to manage your connection strings securely. Store your Cosmos DB connection string in the Key Vault to avoid hardcoding sensitive information in your application.

Set up a Service Connector in your Azure Static Web App to connect to your Cosmos DB by:

Selecting the Cosmos DB resource.

Configuring the connector to use the Key Vault for secrets storage.

Ensuring the connector uses a managed identity for authentication.

Retrieve the connection string from the Key Vault in your application code, and ensure your application uses the correct environment variables to access the Cosmos DB.

Test the connection from your Azure Static Web App to the Cosmos DB, check for errors in the logs, and troubleshoot as needed.
References:

Tutorial: Deploy a Node.js + MongoDB web app to Azure (azure-portal)

Integrate Azure Cosmos DB for MongoDB with Service Connector
https://learn.microsoft.com/en-us/azure/static-web-apps/database-azure-cosmos-db?tabs=bash
Let me know if you have any further assistances.
Sunny Chawla 0 Reputation points

2025-05-08T16:11:57.89+00:00

Thank you for your reply!

If I setup azure cosmos Db to accept all networks, is this approach secure?

Can I get outbound IP address of Azure static web app?

Can I restrict access of cosmos Db only to this azure static web app that is publicly accessible?
Siva Nair 1,650 Reputation points Microsoft External Staff Moderator

2025-05-08T17:18:41.1066667+00:00
Hi Sunny Chawla,

No, this is not secure. Allowing access from all networks exposes your Cosmos DB to the public internet, increasing the risk of unauthorized access, brute-force attacks, and data breaches, even if authentication is required.

Recommended Approach:

Use Private Endpoints to restrict access to trusted networks.

If public access is temporarily needed (e.g., for development), restrict it to specific IP ranges.

Always use RBAC and Managed Identity for secure access control.

No, Azure Static Web Apps do not have fixed outbound IPs. They are serverless and multi-tenant, so their outbound IPs are dynamic and not published by Microsoft.

Workaround:

Use an Azure Function App (Premium Plan or App Service Plan) with VNet integration.

These services can have static outbound IPs, which you can whitelist in Cosmos DB.

Not directly, Azure Static Web Apps are public facing and cannot be integrated into a VNet, so Cosmos DB cannot restrict access based on the Static Web App alone.

Secure Solution:

Use an Azure Function backend that is VNet-integrated.

The Static Web App communicates with the Function, and the Function securely accesses Cosmos DB via a private endpoint.

This keeps your database isolated while still allowing secure access from your app.

Document for reference-https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet

Similar thread which may help you - https://learn.microsoft.com/en-us/answers/questions/2121722/query-a-cosmosdb-with-private-endpoint-from-a-stat

If you have any further assistant, do let me know.
Bodapati Harish 400 Reputation points Microsoft External Staff Moderator

2025-05-09T15:25:27.9333333+00:00

Hello Sunny Chawla,

As per Siva’s suggestion, the recommended approach is to use an Azure Function App (Premium or App Service Plan) with VNet integration as a secure API layer between your Azure Static Web App and Cosmos DB. This setup ensures secure communication using a Private Endpoint and Managed Identity.

If you need further assistance or have any questions, please feel free to comment. I will be happy to help you.
Sunny Chawla 0 Reputation points

2025-05-10T01:49:20.02+00:00

Please can you share video tutorial link for the implementation details.
Harshitha Veeramalla 1,116 Reputation points Microsoft External Staff Moderator

2025-05-12T06:39:40.85+00:00

Hi Sunny Chawla, did you get a chance to look into this MSDoc's 1 and 2 , it has clear steps to connect Azure Cosmos DB

1 answer

Your answer

Shree Hima Bindu Maganti 4,155 Reputation points Microsoft External Staff Moderator

2025-05-08T12:13:02.6166667+00:00

Hi @Sunny Chawla
To securely connect an Azure Static Web App with Azure Cosmos DB using the MongoDB API,

Ensure your Azure Cosmos DB allows access from your Azure Static Web App. Configure your Cosmos DB account to permit connections from all networks or specific IP addresses.

Create a private endpoint for your Azure Cosmos DB to enable secure access within your virtual network.

Use Azure Key Vault to manage your connection strings securely. Store your Cosmos DB connection string in the Key Vault to avoid hardcoding sensitive information in your application.

Set up a Service Connector in your Azure Static Web App to connect to your Cosmos DB by:

Selecting the Cosmos DB resource.

Configuring the connector to use the Key Vault for secrets storage.

Ensuring the connector uses a managed identity for authentication.

Retrieve the connection string from the Key Vault in your application code, and ensure your application uses the correct environment variables to access the Cosmos DB.

Test the connection from your Azure Static Web App to the Cosmos DB, check for errors in the logs, and troubleshoot as needed.
References:

Tutorial: Deploy a Node.js + MongoDB web app to Azure (azure-portal)

Integrate Azure Cosmos DB for MongoDB with Service Connector
https://learn.microsoft.com/en-us/azure/static-web-apps/database-azure-cosmos-db?tabs=bash
Let me know if you have any further assistances.
Sunny Chawla 0 Reputation points

2025-05-08T16:11:57.89+00:00

Thank you for your reply!

If I setup azure cosmos Db to accept all networks, is this approach secure?

Can I get outbound IP address of Azure static web app?

Can I restrict access of cosmos Db only to this azure static web app that is publicly accessible?
Siva Nair 1,650 Reputation points Microsoft External Staff Moderator

2025-05-08T17:18:41.1066667+00:00

Hi Sunny Chawla,

No, this is not secure. Allowing access from all networks exposes your Cosmos DB to the public internet, increasing the risk of unauthorized access, brute-force attacks, and data breaches, even if authentication is required.

Recommended Approach:

Use Private Endpoints to restrict access to trusted networks.

If public access is temporarily needed (e.g., for development), restrict it to specific IP ranges.

Always use RBAC and Managed Identity for secure access control.

No, Azure Static Web Apps do not have fixed outbound IPs. They are serverless and multi-tenant, so their outbound IPs are dynamic and not published by Microsoft.

Workaround:

Use an Azure Function App (Premium Plan or App Service Plan) with VNet integration.

These services can have static outbound IPs, which you can whitelist in Cosmos DB.

Not directly, Azure Static Web Apps are public facing and cannot be integrated into a VNet, so Cosmos DB cannot restrict access based on the Static Web App alone.

Secure Solution:

Use an Azure Function backend that is VNet-integrated.

The Static Web App communicates with the Function, and the Function securely accesses Cosmos DB via a private endpoint.

This keeps your database isolated while still allowing secure access from your app.

Document for reference-https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-vnet

Similar thread which may help you - https://learn.microsoft.com/en-us/answers/questions/2121722/query-a-cosmosdb-with-private-endpoint-from-a-stat

If you have any further assistant, do let me know.
Bodapati Harish 400 Reputation points Microsoft External Staff Moderator

2025-05-09T15:25:27.9333333+00:00

Hello Sunny Chawla,

As per Siva’s suggestion, the recommended approach is to use an Azure Function App (Premium or App Service Plan) with VNet integration as a secure API layer between your Azure Static Web App and Cosmos DB. This setup ensures secure communication using a Private Endpoint and Managed Identity.

If you need further assistance or have any questions, please feel free to comment. I will be happy to help you.
Sunny Chawla 0 Reputation points

2025-05-10T01:49:20.02+00:00

Please can you share video tutorial link for the implementation details.
Harshitha Veeramalla 1,116 Reputation points Microsoft External Staff Moderator

2025-05-12T06:39:40.85+00:00

Hi Sunny Chawla, did you get a chance to look into this MSDoc's 1 and 2 , it has clear steps to connect Azure Cosmos DB

Answer 1

Hi @Sunny Chawla,

If I setup azure cosmos Db to accept all networks, is this approach secure?

This is not secure, turning on Allow All Networks makes your DB open to everyone on the network. If anyone has your connection string, they can access your DB.

This can be used only for development or testing.

Can I get outbound IP address of Azure static web app?

Unlike App service or Function apps, Azure Static Web Apps do not provide a fixed outbound IP address.

Can I restrict access of cosmos Db only to this azure static web app that is publicly accessible?

You can restrict access to Azure Cosmos DBonly from a publicly accessible Azure Static Web App, but this involves a more complex configuration. Since Azure Static Web Apps do not have a fixed outbound IP address, you can't directly restrict Cosmos DB access by IP.

As an alternate you can use Function App or App service.

Check the below steps to configure with Function App:

Create Azure Cosmos DB with MongoDB API.

Use an Azure Function as a Proxy to Secure Cosmos DB Access.

Create a sample Azure Function and use the Managed Identity to authenticate and connect to Azure Cosmos DB.
Configure Managed Identity by enabling System-assigned Managed Identity for the Azure Function.

{6FAED5E7-695E-4FF6-BE69-90DE42E71BB9}

Assign the Cosmos DB Operator role to the Azure Function's Managed Identity so it can access the Cosmos DB.

Refer this MSDoc for more clear steps, it explains configuring Cosmos DB with App service and Function App.

Hope this helps

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions, please reply back.

Harshitha Veeramalla 1,116 Reputation points Microsoft External Staff Moderator

2025-05-15T10:28:39.92+00:00

Hi @Sunny Chawla, just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Harshitha Veeramalla 1,116 Reputation points Microsoft External Staff Moderator

2025-05-16T11:15:19.6766667+00:00

Hi Sunny Chawla, just checking in to see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.

Share via

How to securely connect azure static web app with cosmos mongo db?

1 answer

Your answer