I've set up Firewall CIDRs in my-mongodb -> Firewall and virtual networks, as per https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support
However, I'm seeing very strange behaviour:
If I try to connect from a whitelisted IP, the connection succeeds:
mongo REDACTED.mongo.cosmos.azure.com:10255 -u my_username -p my_password --ssl --sslAllowInvalidCertificates
This results in a mongo prompt
globaldb:PRIMARY> and full access to the database and collections.
And if I try connecting from a non-whitelisted IP, the connection fails:
2020-06-18T16:43:12.206-0400 I NETWORK [js] DBClientConnection failed to receive message from REDACTED.mongo.cosmos.azure.com:10255 - SocketException: asio.ssl stream truncated
2020-06-18T16:43:12.207-0400 E QUERY [js] Error: network error while attempting to run command 'saslContinue' on host 'REDACTED.mongo.cosmos.azure.com:10255' :
2020-06-18T16:43:12.209-0400 F - [main] exception: connect failed
2020-06-18T16:43:12.209-0400 E - [main] exiting with code 1
However, if I try connecting without specifying the username and password, I'm able to access the mongo database. I get the mongo shell prompt and can do any unauthenticated commands, letting me do basic reconnaissance, like what the URLs are for the primary and secondaries, the name of the database, etc.
Expected behaviour: The firewall should drop all traffic not coming from a valid IP address. According to https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support it should at least result in a 403.