Deployment of private endpoints for Azure Cosmos DB fails
Azure Private Link endpoints can be deployed inline for an Azure Cosmos DB account through an Azure Resource Manager template (ARM template). However, this deployment might fail if particular prerequisites aren't met.
Symptoms
When you try to deploy an ARM template, you receive an error message that states that the Microsoft.Network/virtualNetworks/write permission is required.
Cause
The Microsoft.Network/virtualNetworks/write permission is required to deploy a private endpoint inline for an Azure Cosmos DB account. This permission isn't shown in the list of required permissions to deploy a private endpoint on its own. For more information, see role-based access control permissions for private endpoints.
This issue occurs only if the private endpoint is deployed inline for the Azure Cosmos DB account.
Solution
Make sure that the deploying principal is granted the Microsoft.Network/virtualNetworks/write granular permission before you use an ARM template to deploy an Azure Cosmos DB account that has an inline private endpoint.
Reference
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.