SiegfriedHeintze-9929 avatar image
0 Votes"
SiegfriedHeintze-9929 asked SiegfriedHeintze-9929 edited

How to configure VNET to protect cosmos DB but allow access from public Azure App Service Web App using bicep

My bicep script creates a cosmos db and azure app service web app that accesses the cosmos db.

The web app must be available to the public internet but the cosmos db should only be available to the specified IPs of a few developers and the web app.

Can someone point me to a tutorial on how enhance my bicep script to protect my cosmos db with a VNET?



2022 Apr 26 Update:

I think I found the solution here: stack overflow and I tried (and failed) to implement it here: deploy.bicep

Line 313 looked like this:

      virtualNetworkSubnetId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().id}/providers/Microsoft.Network/virtualNetworks/${}/subnets/${[0].name}'

I got this error:

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.","details":[{"code":"BadRequest","message":"{
\"Code\": \"BadRequest\",
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\",
\"Target\": null,
\"Details\": [
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\"
\"Code\": \"BadRequest\"
\"ErrorEntity\": {
\"ExtendedCode\": \"51008\",
\"MessageTemplate\": \"The parameter {0} has an invalid value.\",
\"Parameters\": [
\"Code\": \"BadRequest\",
\"Message\": \"The parameter SubnetResourceUri has an invalid value.\"
\"Innererror\": null

I have since changed the last part to .../subnets/${subnetname} (as in the link) but that did not help (similar error message).

  • 2022 May 5 Thu Update:**

I have created azure support incident to further pursue this problem.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SiegfriedHeintze-9929, welcome to Microsoft Q&A forum.

It seems you want to use bicep template to create Azure Cosmos DB with Virtual Network enabled through private end points.

PFA the required script:

Please let us know if the requirement is different and we can work to enhance the template accordingly.


0 Votes 0 ·
main.txt (2.1 KiB)

Thanks... I ran your script and now I see some new fancy end point icons and I don't know what to do with them...

I see a private end point and a regular network network interface...

After looking at how-to-configure-private-endpoints I'm guessing I need powershell or azure cli to translate them... Can this translation be part of an automated deployment with Github? Maybe with bicep instead of powershell?

Perhaps there is another bicep step to translate them and then store the end point in an appConfig or KeyVault so my C# code can fetch them and use the CosmosClient to connect? Is there an example of this somewhere?

0 Votes 0 ·

Please see my deploy.bicep that I have enhanced... Previously (without VNETs) I could deploy to azure and write to the cosmos database successfully with RBAC protection... Now I cannot... Please help me understand what I need to modify so my azure resident web app can write to the cosmos database again. Perhaps I need to include the webapp in the VNET?

Here is the error message I get:

Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: 36b85649-d9e4-493f-9755-8aef38a9db47; Reason: (Request originated from IP through public internet. This is blocked by your Cosmos DB account firewall settings. More info: ActivityId: 36b85649-d9e4-493f-9755-8aef38a9db47, Microsoft.Azure.Documents.Common/2.14.0, Linux/10 cosmos-netstandard-sdk/3.24.1);

After we get this VNET working, will it be possible to my webapp locally on my development laptop and still access the cosmos db?

0 Votes 0 ·

0 Answers