We are looking to secure our Cosmos DB accounts by restricting access to selected subnets in our virtual network as described in the documentation. In testing, it works as described. I must connect to the VPN Gateway to gain access to the Virtual Network, log on to a VM within the allowed subnet, then I can access the Cosmos data. My question: Is it possible to skip the "middle man" here and just connect to Cosmos by connecting to the VPN Gateway? While I am connected to the gateway, my requests to Cosmos are still routed through the public internet and are blocked. I have given the gateway subnet access to the Cosmos account, but it still fails. I'm just trying to make sure there isn't something I could configure that would easily allow this access. If we have to connect to a VM within the virtual network for access, and that is how it was designed, then so be it.

@Joel Forsyth , You can enable Private Endpoints for Cosmos DB and you get a private IP address from the VNET space to which you need to connect to. BY that way you can connect from On-Prem via VPN directly. But you need to take care of some DNS configurations to achieve this. Reference: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints Regards, Karthik Srinivas

Connect to Cosmos DB via VPN Gateway Connection

Accepted answer

msrini-MSFT 9,276 Reputation points Microsoft Employee

2021-11-23T15:45:01.663+00:00

@Joel Forsyth ,

You can enable Private Endpoints for Cosmos DB and you get a private IP address from the VNET space to which you need to connect to. BY that way you can connect from On-Prem via VPN directly.

But you need to take care of some DNS configurations to achieve this.

Reference: https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-private-endpoints

Regards,
Karthik Srinivas
Please sign in to rate this answer.
Joel Forsyth 26 Reputation points

2021-11-23T16:26:38.31+00:00

Thank you for your response, @msrini-MSFT .

In the next document on connecting to the private endpoint it says I would still have to create a VM and use the Azure Bastion via the Portal. You stated that I could connect to the private IP created for the private endpoint. When you say connect, do you mean using that IP instead of the DNS record for the account?

Reference: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-cosmosdb-portal?bc=/azure/cosmos-db/breadcrumb/toc.json&toc=/azure/cosmos-db/toc.json

I'm still not clear on how I would actually use the private endpoint to connect. The use case I'm trying to achieve is for a developer that wants to view data in the Cosmos account via the browser (cosmos.azure.com) or via Azure Storage Explorer. Both of these are possible from within the network.

Joel Forsyth 26 Reputation points

2021-11-23T19:13:51.513+00:00

@msrini-MSFT ,

Update: I was able to connect to Cosmos in the portal by adding the endpoint and the new private IP to my hosts file. Is there a cleaner way to do this?

Thanks,
Joel

msrini-MSFT 9,276 Reputation points Microsoft Employee

2021-11-24T04:44:59.317+00:00

That is the simple and easy way to do it. Other way is to setup a DNS server in Azure and forward the DNS query for the cosmos to Azure DNS server which inturn returns Private IP address. This solution which i just stated is recommended for the enterprise level users. Your solution will work completely fine but you need to edit the host file in every computer from where you need to connect to Cosmos.

Hope this helps. If you got the answer that you are looking for, please make the suggestion as answer to help other community users.

Regards,
Karthik Srinivas
Sign in to comment

Share via

Connect to Cosmos DB via VPN Gateway Connection

0 additional answers