Can't access Cosmos Db that has firewall restrictions from Azure Synapse

Microsoft

I am attempting to setup Synapse to access a Cosmos Db that has firewall rules set to only allow whitelisted IPs.

 

After a bit of research, I came across this article:

Securing Azure Synapse Workspaces? Beware of One Inescapable Networking Blocker | by Moussa Taifi Ph...

 

According to that post, the only option is to whitelist the entire range of IPs that might be used by the pool. Can someone let me know if this is indeed the case? I started looking at private endpoints as that seems like a perfect solution, but I can't get it to work. I tried the following multiple times:

 

  1. Create new CosmosDb with Azure Synapse Link enabled
  2. Restrict to Selected networks
  3. Create a new DB and Container
  4. Verify that I can’t add a new item
  5. Add my IP
  6. Add new item
  7. Create a new Synapse Workspace, choosing Managed VNet
  8. After creation, verify that the Integration Runtime is in the Managed VNet.
  9. Create two new private endpoints for my Cosmos db. One for type Sql, and one for Analytical (I’m not sure which I need yet)
  10. Go to the Private Link center and approve both end points
  11. Data > Connect to External Data
  12. Ensure that my runtime is in the Manage VNet
  13. Select my DB

I waited 10 min, but the managed endpoint list is stuck at “Refreshing.” I continued to save anyway, but when I try to make a SQL call (after creating the credential), I get:

 

Resolving CosmosDB path has failed with error 'Access to the database account '*******' is forbidden.'.

 

The endpoints are permanently "Refreshing" in both the properties of the connection and also in the Manage Private Endpoints. The end point links are "approved" and show as such in Cosmos DB.

 

Can anyone let me know:

  1. Are Private endpoints a method that I can use to connect my Synapse Workspace to my locked down Cosmos DB?
  2. If so, what might I be doing wrong?

Thanks!

 

1 Reply
Hello! Can I know if you are following this article to create managed private endpoint? https://docs.microsoft.com/en-us/azure/synapse-analytics/security/how-to-create-managed-private-endp... Thanks!