Connection to cosmos db over private link from azure app service

Question

I want to consume cosmos db over private link from my web app. I'm able to make this work with azure sql, cosmos however is a different story.

The two resources, app service and cosmos db, are in the same resource group in same azure region and they are connected to the same vnet.

I have created two sub nets in the vnet . The first is used by an app service hosting my web app. I have integrated the app service to the network through vnet-integration.

The second is used for a "private endpoint" for my "cosmos db" instance. When connect with the help of the cosmos db client library for c # from the "app service" I get an error message saying that traffic from the internet is not allowed to this instance blocked. When I run nslookup from the "kudo console" on the app service <mycosmosdbinstance>.documents.azure.com

Resloves to a public ip, indicating that traffic is routed over the internet. I have followed the steps in this guide closely

https://erwinstaal.nl/posts/securing-your-azure-db-connection-using-azure-private-link/

Setting the application settings WEBSITE_VNET_ROUTE_ALL and WEBSITE_DNS_SERVER the route traffic over the vnet and resolve host names using azure dns. Has anyone been able to pull this off?

Answer 1

If traffic is still being routed over public internet it may be because publicNetworkAccess is not been set to disabled when you created the Cosmos account.

I would follow along with the steps here below. These work when followed.

Configure Azure Private Link for an Azure Cosmos account

Answer 2

Private Link doesn't prevent your Azure Cosmos endpoints from being resolved by public DNS. Filtering of incoming requests happens at application level, not transport or network level.