Over the past sevral months or so, enhancements to the Networking options have become more active in the PaaS/Serverless area of Azure. Even for Azure Cosmos DB, which is called serverless DB, Private Link For Cosmos DB was generally available in spring 2020.
I would like to take this opportunity to summarize the network configuration of Cosmos DB, as we have been using this feature more and more in our real projects.
Most Azure PaaS services, not just Cosmos DB, offer three types of network connections,
- All networks
- Service endpoints
- Private endpoints
In fact, even with Cosmos DB provisioning, you can choose from three options (even after provisioning)
On the configuration screen, the expression is slightly different:
Public endpoint is a connection via Service endpoint and
Private endpoint is a connection using Private Link.
Connection to Cosmos DB via Service endpoint is completed by adding a virtual network in the
Firewall and virtual networks menu. When selecting a VNET, you need to specify a subnet to connect to Cosmos DB service endpoint (Public IP endpoint). The configuration may take up to 15 minutes to take effect, so you may have to wait until the
Endpoint Status becomes
One thing to keep in mind when setting up Service endpoint is that unless the client is participating in the virtual network, you won't be able to use Data Explorer or Azure Storage Explorer to manipulate the data. The easiest solution is to add the client IP address to the Firewall (also configurable in CIDR Range). In addition, you should also check the
Allow access from Azure Portal if you are operating from the Azure Portal.
With the virtual network and IP firewall configured, it looks like this
This is the connection via Plivate Link, where a private IP is assigned to the Cosmos DB endpoint, which is easy to use in an environment where you are using ExpressRoute to connect on-premises networks and virtual networks.
For configuration, go to the
Private Endpoint Connections menu and click on
+ Private Endpoint to configure private endpoints (create a private endpoint, specify a subnet, set a private DNS zone). When the configuration is complete, a Private endpoint resource will be created as shown below.
For client environments with Private endpoint, Cosmos DB can be used in conjunction with IP Firewalls. If you have policy constraints, you may need to connect to a virtual network using ExpressRoute or via Azure Bastion.
In this entry, I have introduced Networking options in Azure Cosmos DB. You can configure Service endpoints and Private endpoints in other Azure PaaS/Serverless services with almost similar settings.
With more network configuration options in the Azure Paas/Serverless area, not only has there been a wider range of network designs, but also enterprise projects that tend to have strict network policies have been helped by the fact that PaaS networks don't become an issue that stops discussions from moving forward.