An Azure VM should access Azure Cosmos DB using Private Endpoints. The VM and the Cosmos DB is in separate VNETs. I have deployed a private endpoint in the VNET where the VM resides. I have also created a private DNS zone for that private endpoint and the virtual network links as well. So when I do a ‘nslookup’ from the VM to the public URL of the Cosmos DB, it doesn’t resolve to the private IP.
nslookup mycosmos.documents.azure.com
Server:127.0.0.53
Address:127.0.0.53#53
Non-authoritative answer:
mycosmos.documents.azure.comcanonical name = mycosmos.privatelink.documents.azure.com.
mycosmos.privatelink.documents.azure.comcanonical name = cdb-ms-prod-westeurope1-f679.cloudapp.net.
Name:cdb-ms-prod-westeurope1-fd89.cloudapp.net
Address: 13.29.16.48
But if I do a ‘nslookup’ for the private URL which I got from the private DNS zone, it resolves to the correct IP
nslookup mycosmos.myprivatedns.com
Server:127.0.0.53
Address:127.0.0.53#53
Non-authoritative answer:
Name:mycosmos.myprivatedns.com
Address: 10.236.49.157
If I’m not wrong, when I do a nslookup for the public URL, it should resolve to the private IP?
2
Answers
The private link url takes precedence over the ip address, which then resolves to the private ip address. If it can’t follow the private link url it will resolve to the public ip, which is still valid (and working in case you didn’t disable public network access).
If you create a private endpoint through the Azure Portal it’ll automatically disable the network access as part of the creation of the private link endpoint and related resources. If you use other methods for deployment e.g. a bicep template you’ll have to account for that yourself and disable the network access as part of deployment.
I tried to reproduce the same in my environment I got the same error like below:
Created virtual machine and Azure Cosmos DB in different vnet and used private endpoint with same vnet where the VM is located and created private DNS zone for that private endpoint and the virtual network links like below:
***Virtual machine and bastion host ***
Azure Cosmos DB with private endpoint:
I agree with @NotFound Make sure to disable Public Access Cosmos DB like below:
When I check with private endpoint got result successfully like below: