Can't access Cosmos Db that has firewall restrictions from Azure Synapse

Question

I am attempting to setup Synapse to access a Cosmos Db that has firewall rules set to only allow whitelisted IPs.

After a bit of research, I came across this article:

Securing Azure Synapse Workspaces? Beware of One Inescapable Networking Blocker | by Moussa Taifi PhD | Towards Dev

According to that post, the only option is to whitelist the entire range of IPs that might be used by the pool. Can someone let me know if this is indeed the case? I started looking at private endpoints as that seems like a perfect solution, but I can't get it to work. I tried the following multiple times:

Create new CosmosDb with Azure Synapse Link enabled

Restrict to Selected networks

Create a new DB and Container

Verify that I can’t add a new item

Add my IP

Add new item

Create a new Synapse Workspace, choosing Managed VNet

After creation, verify that the Integration Runtime is in the Managed VNet.

Create two new private endpoints for my Cosmos db. One for type Sql, and one for Analytical (I’m not sure which I need yet)

Go to the Private Link center and approve both end points

Data > Connect to External Data

Ensure that my runtime is in the Manage VNet

Select my DB

I waited 10 min, but the managed endpoint list is stuck at “Refreshing.” I continued to save anyway, but when I try to make a SQL call (after creating the credential), I get:

Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'.

The endpoints are permanently "Refreshing" in both the properties of the connection and also in the Manage Private Endpoints. The end point links are "approved" and show as such in Cosmos DB.

Can anyone let me know:

Are Private endpoints a method that I can use to connect my Synapse Workspace to my locked down Cosmos DB?

If so, what might I be doing wrong?

Thanks!

Answer 1

You should consider opening a support case in the case of misconfiguration in your settings.

There should be an option to allow access to Azure IPs. This is contained in documentation located here:

Add a managed private endpoint for Azure Cosmos DB analytical store

Sign into the Azure portal.

From the Azure portal, navigate to your Synapse Analytics workspace and open the Overview pane.

Launch Synapse Studio by navigating to Getting Started pane and select Open under Open Synapse Studio.

In the Synapse Studio, open the Manage tab.

Navigate to Managed private endpoints and select New

Create a new private endpoint for analytical store.

Select Azure Cosmos DB(SQL API) account type > Continue.

Select Azure Cosmos DB SQL API to create a private endpoint.

Fill out the New managed private endpoint form with the following details:

Name - Name for your managed private endpoint. This name cannot be updated after it's created. Description - Provide a friendly description to identify your private endpoint. Azure subscription - Select an Azure Cosmos DB account from the list of available accounts in your Azure subscriptions. Azure Cosmos DB account name - Select an existing Azure Cosmos DB account of type SQL or MongoDB. Target sub-resouce - Select one of the following options: Analytical: If you want to add the private endpoint for Azure Cosmos DB analytical store. Sql (or MongoDB): If you want to add OLTP or transactional account endpoint. Note

You can add both transactional store and analytical store private endpoints to the same Azure Cosmos DB account in an Azure Synapse Analytics workspace. If you only want to run analytical queries, you may only want to map the analytical private endpoint.

Choose analytical for the target subresource.

After creating, go to the private endpoint name and select Manage approvals in Azure portal.

Navigate to your Azure Cosmos DB account, select the private endpoint, and select Approve.

Navigate back to Synapse Analytics workspace and click Refresh on the Managed private endpoints pane. Verify that private endpoint is in Approved state.