Azure Synapse Link for Cosmos Db

Question

Hi Azure Cosmos Db Team,&nbsp;When accessing Cosmos Db with private endpoint from serverless sql pools in synapse workspace, I was getting the below error.Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'. I followed the below steps.&nbsp;Create new CosmosDb with Azure Synapse Link enabledEnable private endpoint for the Cosmos Db with required vnet configuration and test it by trying to access the items in the container.Create a new Synapse Workspace, choosing Managed VNetAfter creation, verify that the Integration Runtime is in the Managed VNet.Create two new private endpoints for Cosmos db from synapse. One for type Sql, and one for Analytical.Approve both end points from Cosmos Db networking tab.From synapse workspace access the container with the synapse link enabledAfter running a query in serverless sql pools , I get the access forbidden Issue.&nbsp;Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'. I followed the below steps.&nbsp;Can you please advise? I was following the below steps.&nbsp;https://learn.microsoft.com/en-us/azure/cosmos-db/analytical-store-private-endpoints. Is there analytical target sub-resource private endpoint also need to be created for Cosmos Db other than sql?&nbsp;With Regards,Nitin Rahim

saranyasriram · Answer

nitinrahim&nbsp;
&nbsp;
The steps are documented here&nbsp;https://learn.microsoft.com/en-us/azure/cosmos-db/analytical-store-private-endpoints#using-synapse-serverless-sql-pools
We should add synapse workspace to networkaclbypasslist. SQL serverless in Synapse is not in a managed VNet. We cant extend PrivateEndpoints to SQL serverless. Customer should allow Synapse WorkSpace to access Cosmos DB account by specifying the WS name in networkaclbypass list.&nbsp;

anithaa · Answer

Hi Nitin, I am a PM In Cosmos DB team, working on Synapse Link. Sorry for the inconvenience you are facing. Could you please share the network acl bypass command you've set? Are Cosmos DB account and Synapse WS in same AD tenant? You've mentioned test1container in the msg and the select command seems to be connecting to testcontainer - are they from the same account on which you've set the aclbypass?

nitinrahim · Answer

Hi Anitha,Thank you for your response.The names mentioned in the query are just a reference. Made sure correct parameters are being used in the select statement while development in the same account. Please find below the network acl bypass command i set from Azure Powershell.Mycosmosdatabase is the cosmosdatabsename,MyResourceGroupofcosmosdatabase is the resource group of the cosmos database and Myworkspacename is the synpase workspace name.Not actual names used but for documenting here.Also Anitha, the cosmos database and the Synapse workspace are in the same tenant.Update-AzCosmosDBAccount -Name Mycosmosdatabase -ResourceGroupName MyResourceGroupofcosmosdatabase -NetworkAclBypass AzureServices -NetworkAclBypassResourceId "/subscriptions/subId/resourceGroups/rgName/providers/Microsoft.Synapse/workspaces/Myworkspacename"With Regards,Nitin Rahim

nitinrahim · Answer

This Issue is resolved.It got resolved by fixing the network acl bypass command with the right parameters. Thank you all.

jillarmour · Answer

nitinrahim&nbsp;thanks for posting the fix! Glad you got it resolved.&nbsp;

Forum Discussion

Azure Synapse Link for Cosmos Db

9 Replies

Resources