Azure Cosmos DB Read only query

Rock 41 Reputation points
2022-02-18T18:55:35.81+00:00

Hi,

I have a cosmos DB with an analytical container (V2 Versions) on, as our goal is to use only the analytical container for any kind of data fetching,(Currently trying to migrate all users to synapse workspace). My question is, if we share the readonly Key with other teams, how can we control if they are hitting only the analytical layer of the V2 cosmos DB container and not the transactional layer.

  1. In a Synapse (like while Creating pipelines, or fetching the Cosmos DB by not using openrowset() )
  2. If they tried to access the Cosmos Db through other options (not Synapse, any traditional way of data fetching)

Does this mean when we have enabled a cosmos DB's analytical container then any way of data fetching will be done on the analytical layer only and not hit the actual transactional layer?

Your help is appreciated!!

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,638 questions
{count} votes

Accepted answer
  1. Anurag Sharma 17,606 Reputation points
    2022-02-21T09:45:41.283+00:00

    Hi @Rock , welcome to Microsoft Q&A forum and sorry for the delayed response.

    From the details you provided it seems that you want to restrict users to just be able to query the data from Analytical Store in Azure Cosmos DB.

    This can be achieved by controlling the network access separately for both the transactional and analytical stores independently. Network isolation is done using separate managed private endpoints for each store, within managed virtual networks in Azure Synapse workspaces.

    Please refer to below article that talks about creating private link in details:

    Configure Azure Private Link for Azure Cosmos DB analytical store

    I would also suggest you to once go through below link that talks about security features on analytical store:

    Security

    If we use read-only keys with creating private link, users will be able to access the transaction store although they would not be able to write anything.

    Please let us know if this helps or else we can discuss further on the same.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Rock 41 Reputation points
    2022-02-25T14:24:17.74+00:00

    Thank you @AnuragSharma-MSFT for your reply, i will try to confiure the private endpoints and see if it will help us.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.