Forum Discussion
Azure Synapse Link for Cosmos Db
Hi Azure Cosmos Db Team,
When accessing Cosmos Db with private endpoint from serverless sql pools in synapse workspace, I was getting the below error.
Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'. I followed the below steps.
Create new CosmosDb with Azure Synapse Link enabled
Enable private endpoint for the Cosmos Db with required vnet configuration and test it by trying to access the items in the container.
Create a new Synapse Workspace, choosing Managed VNet
After creation, verify that the Integration Runtime is in the Managed VNet.
Create two new private endpoints for Cosmos db from synapse. One for type Sql, and one for Analytical.
Approve both end points from Cosmos Db networking tab.
From synapse workspace access the container with the synapse link enabled
After running a query in serverless sql pools , I get the access forbidden Issue.
Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'. I followed the below steps.
Can you please advise? I was following the below steps.
https://learn.microsoft.com/en-us/azure/cosmos-db/analytical-store-private-endpoints. Is there analytical target sub-resource private endpoint also need to be created for Cosmos Db other than sql?
With Regards,
Nitin Rahim
9 Replies
- nitinrahimBrass ContributorHi Team,
Was just following up to see if the team has any inputs regarding the same?
With Regards,
Nitin Rahim- SaranyaSriram
Microsoft
The steps are documented here https://learn.microsoft.com/en-us/azure/cosmos-db/analytical-store-private-endpoints#using-synapse-serverless-sql-pools
We should add synapse workspace to networkaclbypasslist. SQL serverless in Synapse is not in a managed VNet. We cant extend PrivateEndpoints to SQL serverless. Customer should allow Synapse WorkSpace to access Cosmos DB account by specifying the WS name in networkaclbypass list.
- nitinrahimBrass Contributor
Thanks Saranya for the response.I did that particular step as well. However I still get the access forbidden message when running the below query from serverless sql pool to access the test1 container. Was checking if the private endpoint from cosmos db for 'analytical store' also has to be setup?If yes is there a specific documentation pertaining to the same. Synapse Link has been enabled for this contaner.
SELECT *
FROM OPENROWSET(PROVIDER = 'CosmosDB',
CONNECTION = 'Account=testaccount;Database=testdatabase',
OBJECT = 'testcontainer',
SERVER_CREDENTIAL = 'testcredential')
AS [testcontainer]
With Regards,
Nitin Rahim