question

Kalpa-7768 avatar image
0 Votes"
Kalpa-7768 asked Kalpa-7768 commented

Regarding Azure CosmosDB Request Flow, Multiple IP Addresses are seen

HI all,
Whenever Logged in to cosmos db and listing items from Azure Portal.
it logs the request as
1) with client ip from where azure portal has been launched. - CLIENT IP
2) it logs two requests from azure portal ip for the same ip. - AZURE PORTAL IP
3) it logs two requests from AzureCLoud IPs. -- AZURE CLOUD IP.
4) and queries it logs without ips. -- QUERY LOGGED WITHOUT IP.
5) Any idea how to correlate this. as this may be from different clients, need to do it without setting correlation id headers.

thanks,
Kalpa

azure-cosmos-db
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Kalpa-7768, welcome to Microsoft Q&A forum.

Could you please provide below details to look more into it:

  1. Are you running any queries to list items? Please provide if possible.

  2. What is the destination of logs like Log Analytics, Storage account etc.?




0 Votes 0 ·

HI AnuragSharma,
thanks a lot for the response and offering to help.
1. suppose, I go to cosmosdb from azure portal, a) Azure Portal Login,
-> b) All Resources -> c) CosmosDB account -> d) go to db accont
e) data explorer f) container, g) db h) and i) list items.
then, I tried to get the logs, I use http client as.
"https://management.azure.com/subscriptions/"+subscriptionId+"/resourceGroups/"
+resourceGroup+"/providers" + "/Microsoft.OperationalInsights/workspaces/"+cosmoDbWkpcName"+-cosmos-workspace"+"/api/query
and time fitler in the params.

Continued in the next msg.

0 Votes 0 ·

//entries are like
clientIpAddress_s:20.62.142.x
userAgent_s:Microsoft.Azure.Documents.Common/2.14.0
requestResourceId_s:/dbs
authTokenType_s:SystemReadOnly



clientIpAddress_s:20.62.142.x
userAgent_s:Microsoft.Azure.Documents.Common/2.14.0
requestResourceId_s:/dbs/xxxxxx/colls


Here activity matches, 20.62.x.x seems to be AzureCloudIP US.

1. question
How do I know, whether it is azure service public ip or customer owned Azure IP?
user agent seems telling from azure servers. but, how do I know those are azure server ips?
there is one source. gives the azure public ips range, publicips/govt/china.
that gives the range where customer owned azure ips also part of it.
Is there any way, we can know azure servers ip addresses to filter out
these requests. and then, subsequent ones like
0 Votes 0 ·
Show more comments

final one is from my ip, I want to log entries other than
azure ips. in this case, only the last entry needs to be logged.
how do i know about it?
Sorry, I had to cut the msg to fit the size. again thanks for the help.
thanks,
Kalpa

0 Votes 0 ·

1 Answer

AnuragSharma-MSFT avatar image
0 Votes"
AnuragSharma-MSFT answered Kalpa-7768 commented

Hi @Kalpa-7768, thanks for your patience.

The clientIpAddress_s is the public ip address from where we access the azure cosmos db. If we try to access the cosmos DB from some local application, it would log on the public ip of the server/local system. But say if we try to connect the cosmos db from Azure Data Factory or other Azure resources then it would be the azure public ip of that resource.

Below is the list of azure IP Ranges, this is a json file. You can filter out the IPs based on service like DataFactory and check all the IPs related to it.

Azure IP Ranges and Service Tags – Public Cloud

As this is a long list of IPs, you might need to exclude all the IPs related to azure from where this cosmos account can be accessed and then whatever is left should be your IP.

Please let me know if this helps.


If answer helps, you can mark it 'Accept Answer'




· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI AnuragSharma,
1. thanks for the answer. you are bit closer. absolutely, if I check azure ip.
https://www.microsoft.com/en-us/download/details.aspx?id=56519

ithe IP is listed there. However, the IP i have seen is not in data factory, seems it is in "AzureCloud.eastus". Here the problem is If i have taken public ip from azure in eastus and used. that also gets filtered.
II dont want that way. I want filter only the ip addresses used by azure used for internal db purposes. but that list also have ip addresses used by azure customers.
any way, I can isolate the azure ip addreses used by itself, but, not can be assigned to its customers.

thanks In advance.

Kalpa

0 Votes 0 ·

Thanks for replying back.

Data factory is just one example, the request can be originated from any ip depending on where we are relaying the request from. And same ip could be used by other azure users as well. If possible, could you please give some more details on exact requirements and I would try to check how can we achieve this?

0 Votes 0 ·

Sure. thanks a lot.
for example. when I access from portal a) cosmsDBacnt and then 2) data explorer 3) db 4) container 5) listitems.
if I query the diag logs. it is like as below.
1. the request from azure portal ip.
params are
a) requestResourceId_s:/offers
b) userAgent_s:Azure Portal
c) clientIpAddress_s:104.42.195.92
d) authTokenType_s:PrimaryReadonlyMasterKey
2. Next is requestResourceType_s:DatabaseFeed
a) requestResourceId_s:/dbs
b) userAgent_s:Microsoft.Azure.Documents.Common/2.14.0
c) clientIpAddress_s:20.62.142.166
d) authTokenType_s:SystemReadOnly
3. Collections listing on each of the dbs.
a) requestResourceId_s:/dbs/./colls
b) userAgent_s:Microsoft.Azure.Documents.Common/2.14.0
c) clientIpAddress_s:20.62.142.166
d) authTokenType_s:SystemReadOnly
4. then listing items.
a) requestResourceId_s:/dbs/../colls/../docs
b) userAgent_s:Mozilla/5.0..
c) clientIpAddress_s=<MYIP>
`` d) authTokenType_s:PrimaryMasterKey
so, 20.62... seen in 2 and 3 entry as listed above, seems part of AzureCloud.eastUS ip. so, seems like a) AzureCloud.eastUS can have the range of ip addresss used by azure db queries internally as above requests says (20.x) 2) also can be bought and used by azure customers as static ips. how can I only filter only 20.x but not all ips of AzureCloud.eastUS grp or is there any other way to filter 20.x requests. for example. I can filter Portal ips using portal grp entries as in public list. but, stopped here.
thanks,
Kalpa

0 Votes 0 ·
Show more comments