Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,203 questions
How to change networking to connect IoTHub to CosmosDB in private subnet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 20%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQ%3C/text%3E%3C/svg%3E)
Quincy
5
Reputation points
Hey community!
The question:
How do I connect my Azure IoTHub to my CosmosDB in private subnet? How I can change the CosmosDB networking/firewall settings to accept traffic coming from a (public) IoTHub service endpoint?
Brief description:
- I have an IoTHub in which I host IoT devices for which the networking settings are set to allow connections from selected networks. For this I want a custom endpoint for routing to a CosmosDB container using a system-managed identity.
- I also have an Azure CosmosDB account for which I want to limit the access so that the IoTHub can write messages to a container. The networking settings are set to selected to only allows access from a VNET.
- The IoTHub has the CosmosDB Data Contributor role assigned for this account.
- Lastly, I have a VNET in which I have a private subnet, to which 2 Private Endpoints are connected (1 IoTHub, 1 CosmosDB). Additionally, Service Endpoints for CosmosDB, EventHub and ServiceBus are enabled.
When I try to connect the IoTHub custom endpoint routing I get the following error:
Cosmos DB authentication failed. Check whether primary Key or secondary Key is correct. ContainerName: [container_name], DatabaseName: [database-name], endpointName: [routing_endpoint_name], exceptionMessage: Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: [redacted]; Reason: (Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings. More info: https://aka.ms/cosmosdb-tsg-forbidden
Now I understand that the traffic is going through the service endpoint, but what I don't know is how to change the CosmosDB networking/firewall settings to accept messages from the IoTHub.
This connection works if the networking settings of the CosmosDB are set to public or selected networks with a whitelist for 0.0.0.0.
I know that some of the configurations mentioned are quite obvious, just wanted to paint a complete picture.
Hopefully you can help me out! Thanks!
Sign in to answer