question

DivyaKonasani-7782 avatar image
0 Votes"
DivyaKonasani-7782 asked OuryBa-MSFT commented

High Availability for Azure Private endpoints when using service like ACR and CosmosDB with replication

Hi,

I am looking for guidance on how the private endpoint will behave when we enable geo replication on services like ACR and cosmosdb.

For Example:

We create a cosmodb account in centralus and enable replication in eastus2. And we create a private endpoint in Centralus. The cosmosdb will have the following FQDNS on the private endpoint

<accountname>.privatelink.documents.azure.com ---- 10.32.. (ip in centralus subnet)
<accountname>-centralus.privatelink.documents.azure.com ---- 10.32.. (ip in centralus subnet)
<accountname>-eastus.privatelink.documents.azure.com ---- 10.32.. (ip in centralus subnet)

Now lets say application wants to use preffered locations and the application wants to use the eastus endpoint.

  • Will the application request still traverse to centralus region even the preffered loction is eastus since the ip address is from central subnet?

  • What will happen when the whole centralus region is down, will the application still be able to reach to the eastus endpoint? As we have the private ip for that endpoint in centralus as well

Any guidance on this will be awesome.

And this is the similar behavior for azure container registry replication



azure-cosmos-dbazure-private-linkazure-container-registry
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OuryBa-MSFT avatar image
0 Votes"
OuryBa-MSFT answered OuryBa-MSFT edited

@DivyaKonasani-7782 Thank you for posting your query on Microsoft Q&A and for using Azure services.

My understanding is that you are looking to know according to the above scenario if you application will still traverse central us region even though the preferred location is east us. And what happened if the whole central region is down with private endpoint enable on central us. Please let me know if my understanding is not correct.
The answer to your question is private endpoints are transparent to the application. If you select east us as your preferred locations, then the request will go to east us locations. If the region goes down, failover will happen as expected. Achieve high availability with Cosmos DB
Coming to Azure container register I saw the tags was added below the question. I will check with the team if that is the similar behavior.

Regards,
Oury



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DivyaKonasani-7782 avatar image
0 Votes"
DivyaKonasani-7782 answered OuryBa-MSFT commented

Hi @OuryBa-MSFT

Thanks for responding to this question.

Your understanding is mostly correct.

I understand that failover endpoint is transparent to the application and if we use the cosmos primary fqdn it takes care of the failover. But my disconnect is with the private endpoint. Let’s say our private endpoint is in central us that means it gets an ip in central us. Now if we set preferred locations even to east us, that fqdn still has an ip address from central region as the private endpoint is in central. So my understanding is the request will still travel to central. Is that not true?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DivyaKonasani-7782 Thank you for getting back. Sorry let me rectify my answer above. I meant to say that if you put east us in preferred locations, then requests will go to east us.

Now if we set preferred locations even to east us, that fqdn still has an ip address from central region as the private endpoint is in central. So, my understanding is the request will still travel to central. Is that not true?
Request will still go to preferred locations and will not traverse to central even though fqdn has an ip address from central region as the private endpoint is in central. The IP address is local to the private network, but the request will go to the east us location as expected

Please let me know if you need more clarification. Will be more than happy to help.

Regards,
Oury

0 Votes 0 ·

Thank you @OuryBa-MSFT for explaining this. But I think I need some more clarity regarding the following

Let’s say the whole central us region is down in the above scenario then the nic associated with the private endpoint would also be down right? If yes then cosmosdb is not routable to east us as well because the east gets an ip from central us nic. Is my understanding correct

In your above answer you said the ip address is local to private network but the request will go to east us. Can you please explain this a little more. Because I understand setting preferred locations will take me to east us but the east us endpoint has an IP address from centralus and when we do nslookup we get that in address so request must be traversing central us. Is that not right?

0 Votes 0 ·
OuryBa-MSFT avatar image OuryBa-MSFT DivyaKonasani-7782 ·

@DivyaKonasani-7782 Appreciate if you could raise a support ticket and our CSS team can take a look and diagnose with proper tool. Please let me know if you don't have a support plan. I can enable one-time free support ticket for you.

Regards,
Oury

0 Votes 0 ·