Trying to access CosmosDB with private endpoint causes 'request originated from VNET through service endpoint' error?

Question

I have a Node Js app which interacts with CosmosDB and which is deployed to a private AKS cluster. I was able to connect to Cosmos DB through a service endpoint in the Cluster VNET/subnet for Cosmos DB by enabling 'selected networks' in Cosmos DB.

I am now trying to close it to private access only via private endpoints.

I disabled public access / so no 'selected networks' any more.

I created a private endpoint and private link to Cosmos DB and integrated it with a Private DNS Zone that is in the same resource group as the Cluster VNET and uses one of the VNET subnets.

When I do nslookup in the cluster from a test pod I can see that the cosmosname.documents.azure.com URI has canonical name = cosmosname.privatelink.documents.azure.com. The address however is a different IP address than the ones in the DNS zone records.

When I try to run the app, I get the error:

Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings. 

What can I do to fix this?

Answer 1

I solved this problem because there was a separate DNS Zone subscription that records needed to be created in. There was a policy preventing the DNS Zones in the Cluster subscription from being used.