Failed to query from CosmosDB via go sdk

Question

Hello,

I have integrated the Cosmos SDK into a Go-based command-line application. The application works as expected when querying from my local machine, but queries fail when running on external virtual machines. On those machines, I encounter timeout errors.

I have run several tests to isolate the problem, but I still don’t understand why these timeouts occur. In the database settings, I am currently using a public endpoint with no firewall restrictions.

Here are my tests:

1. Testing DNS resolution for Cosmos DB endpoint... ✓ DNS resolution successful
2. Testing network connectivity to Cosmos DB... ✓ Network connectivity OK
3. Checking Azure CLI installation and authentication... ✓ Azure CLI installed ✓ Logged in to Azure CLI
4. Checking authentication environment variables... ℹ No service principal environment variables found Will attempt to use Azure CLI or Managed Identity
5. Testing Cosmos DB client creation...

Debug: Creating Cosmos DB client...

Debug: Endpoint: <endpoint>

Debug: Database: <db>

Debug: Testing TCP connectivity to <endpoint>

Debug: TCP connection successful

Debug: Attempting Azure Default Credential authentication...

Debug: Azure credential created successfully

Debug: Creating Cosmos client...

Debug: Azure credential created successfully

Debug: Creating Cosmos client...

Debug: Cosmos client created successfully

✓ Cosmos DB client created successfully

6. Testing Cosmos DB query (with 30s timeout)... FAILED: Cannot query Cosmos DB Error: failed to query latest entity major version: failed to query documents: failed to retrieve account properties: context deadline exceeded

Even when I increase the timeout value, the issue persists. I also tried building the source code directly on the virtual machine where I want to run it, but that didn’t help either. (Also I use the same azure user to test the application)

I have correctly set the partition key, and I’m using the same query function as shown in the sdk readme.

Thanks,

Csanad

Answer 1

Hello @Csanád Tabajdi

The error context deadline exceeded indicates that the query operation did not complete within the allotted time. The specific failure point is failed to retrieve account properties, which suggests a problem during the initial handshake or first packet exchange.

The root cause is likely one of the following

1. Network path issues causing high latency or packet loss during data transfer.
2. Throttling due to the VM causing higher load and exceeding provisioned throughput.
3. Problems with Azure Default Credential resolution or token refreshing on the VM.
4. Direct (TCP) connection mode being blocked by a firewall on the VM's network.

---

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Answer 2

Hi Csanád Tabajdi,

Thank you for posting your question on Microsoft Q&A. We’ve reviewed your query and outlined the detailed steps below to help resolve the issue.

Cause of the issue and recommendations - From your description, the Cosmos DB Go SDK works locally but times out on external VMs, even though DNS and TCP connectivity tests succeed. This typically points to authentication or network configuration issues rather than SDK bugs. Here are the key areas to check: Authentication Context • The logs show Azure Default Credential is being used. This credential tries multiple sources in order: o Environment variables (Service Principal) o Managed Identity o Azure CLI • On your local machine, Azure CLI authentication works because you’re logged in interactively. • On external VMs, if there’s no interactive session or Managed Identity, the SDK may fail after token acquisition attempts, causing timeouts. Fix: • For non-interactive environments, use a Service Principal or Managed Identity: o https://learn.microsoft.com/azure/developer/go/azure-sdk-authentication#use-defaultazurecredential o https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview Network and Firewall Settings • Even with a public endpoint, Cosmos DB requires port 443 outbound. Some VM environments (corporate or cloud) restrict outbound traffic. • If you’re using Private Endpoint or VNET integration, ensure the VM is in the correct subnet and DNS resolves to the private IP. Fix: • Verify outbound connectivity on port 443: Shell curl -v https://<your-cosmos-account>.documents.azure.com:443/

• https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall SDK Timeout and Retries • The error context deadline exceeded suggests the SDK cannot complete the request within the timeout, often due to token acquisition delays or blocked traffic. • Increasing timeout alone won’t help if the root cause is authentication or network. Fix: • Ensure the VM can reach login.microsoftonline.com for token requests. • If using a proxy, configure the Go SDK to respect HTTP_PROXY and HTTPS_PROXY. Validate Permissions • The identity (Service Principal or Managed Identity) must have Cosmos DB Account Reader or Contributor role at the correct scope. Reference: https://learn.microsoft.com/azure/cosmos-db/how-to-setup-rbac Summary • Use Managed Identity or Service Principal for non-interactive environments. • Confirm port 443 outbound and DNS resolution. • Ensure Azure AD token endpoints are reachable. • Assign proper RBAC roles for Cosmos DB. Links • https://learn.microsoft.com/azure/developer/go/azure-sdk-authentication • https://learn.microsoft.com/azure/cosmos-db/how-to-configure-firewall • https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

Hope the above steps were helpful. If you have any other questions, please feel free to contact us.

Thanks, Vrishabh