cosmos_vnet_blocked error with BYO standard agent setup

hi peter_31415​  normanmueller​  You’re not alone — this is a known and common pitfall when deploying the Standard Agent with private networking.

cosmos_vnet_blocked: Access to Cosmos DB is blocked due to VNET configuration.

Please check your network settings and make sure CosmosDB is public network enabled,

if this is a public standard agent setup.

This error does not mean Cosmos DB is misconfigured in general. It means Azure AI Agents cannot reach the Cosmos DB account that backs the agent runtime.

Even in a “private network standard agent setup”, the agent service itself is still a Microsoft-managed service, and it has strict networking expectations.

How to fix ?(supported configuration)

Required Cosmos DB settings for Standard Agents

Your Cosmos DB account must have:

public_network_access_enabled = true

AND either:

• No VNET firewall rules
  OR
• “Allow access from Azure services” enabled

In Portal:

Cosmos DB → Networking

Public network access: Enabled

Allow Azure services and resources to access this account

Terraform example:

resource "azurerm_cosmosdb_account" "agents" {

  name                = "cosmos-agents"

  location            = azurerm_resource_group.rg.location

  resource_group_name = azurerm_resource_group.rg.name

  kind                = "GlobalDocumentDB"

  public_network_access_enabled = true

  is_virtual_network_filter_enabled = false

}

Status:

As of now:

• Private Cosmos DB for Standard Agents = not supported
• Docs mention “private networking” but do not clearly call out this limitation
• This limitation has been acknowledged internally, but no public ETA for support

All the best