How to change networking to connect IoTHub to CosmosDB in private subnet
Hey community!
The question:
How do I connect my Azure IoTHub to my CosmosDB in private subnet? How I can change the CosmosDB networking/firewall settings to accept traffic coming from a (public) IoTHub service endpoint?
Brief description:
- I have an IoTHub in which I host IoT devices for which the networking settings are set to allow connections from selected networks. For this I want a custom endpoint for routing to a CosmosDB container using a system-managed identity.
- I also have an Azure CosmosDB account for which I want to limit the access so that the IoTHub can write messages to a container. The networking settings are set to selected to only allows access from a VNET.
- The IoTHub has the CosmosDB Data Contributor role assigned for this account.
- Lastly, I have a VNET in which I have a private subnet, to which 2 Private Endpoints are connected (1 IoTHub, 1 CosmosDB). Additionally, Service Endpoints for CosmosDB, EventHub and ServiceBus are enabled.
When I try to connect the IoTHub custom endpoint routing I get the following error:
Cosmos DB authentication failed. Check whether primary Key or secondary Key is correct. ContainerName: [container_name], DatabaseName: [database-name], endpointName: [routing_endpoint_name], exceptionMessage: Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: [redacted]; Reason: (Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings. More info: https://aka.ms/cosmosdb-tsg-forbidden
Now I understand that the traffic is going through the service endpoint, but what I don't know is how to change the CosmosDB networking/firewall settings to accept messages from the IoTHub.
This connection works if the networking settings of the CosmosDB are set to public or selected networks with a whitelist for 0.0.0.0.
I know that some of the configurations mentioned are quite obvious, just wanted to paint a complete picture.
Hopefully you can help me out! Thanks!