Forum Discussion

peter_31415's avatar
peter_31415
Copper Contributor
Dec 10, 2025

cosmos_vnet_blocked error with BYO standard agent setup

Hi!

We've tried deploying the standard agent setup using terraform as described in the https://learn.microsoft.com/en-us/azure/ai-foundry/agents/how-to/virtual-networks?view=foundry-classic and using the terraform sample available https://github.com/azure-ai-foundry/foundry-samples/tree/main/infrastructure/infrastructure-setup-terraform/15a-private-network-standard-agent-setup/code as a basis to give the necessary support in our codebase. However we keep getting the following error:

cosmos_vnet_blocked: Access to Cosmos DB is blocked due to VNET configuration. Please check your network settings and make sure CosmosDB is public network enabled, if this is a public standard agent setup.

Has anyone experienced this error?

azure foundry
BYO Thread Storage
foundry

4 Replies

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Jan 01, 2026

    hi peter_31415​  normanmueller​  You’re not alone — this is a known and common pitfall when deploying the Standard Agent with private networking.

    cosmos_vnet_blocked: Access to Cosmos DB is blocked due to VNET configuration.

    Please check your network settings and make sure CosmosDB is public network enabled,

    if this is a public standard agent setup.

    This error does not mean Cosmos DB is misconfigured in general. It means Azure AI Agents cannot reach the Cosmos DB account that backs the agent runtime.

    Even in a “private network standard agent setup”, the agent service itself is still a Microsoft-managed service, and it has strict networking expectations.

    How to fix ?(supported configuration)

    Required Cosmos DB settings for Standard Agents

    Your Cosmos DB account must have:

    public_network_access_enabled = true

    AND either:

    • No VNET firewall rules
      OR
    • “Allow access from Azure services” enabled

    In Portal:

    Cosmos DB → Networking

    Public network access: Enabled

    Allow Azure services and resources to access this account

    Terraform example:

    resource "azurerm_cosmosdb_account" "agents" {

      name                = "cosmos-agents"

      location            = azurerm_resource_group.rg.location

      resource_group_name = azurerm_resource_group.rg.name

      kind                = "GlobalDocumentDB"

      public_network_access_enabled = true

      is_virtual_network_filter_enabled = false

    }

    Status:

    As of now:

    • Private Cosmos DB for Standard Agents = not supported
    • Docs mention “private networking” but do not clearly call out this limitation
    • This limitation has been acknowledged internally, but no public ETA for support

    All the best

  • normanmueller's avatar
    normanmueller
    Copper Contributor
    Dec 13, 2025

    I’m running into the same problem as well. I’ve verified that enterprise_memory is present in Cosmos DB.

  • peter_31415's avatar
    peter_31415
    Copper Contributor
    Dec 10, 2025

    One thing missing in the initial post is that we get the error when we try to deploy an agent either through the REST API or using the AI Foundry Portal.

  • peter_31415's avatar
    peter_31415
    Copper Contributor
    Dec 10, 2025

    An additional information is that, despite the error, we can see the agent database (enterprise_memory) and containers (*-agent-entity-store, *-system-thread-message-store, *-thread-message-store) are successfully created.

Resources