Connect CosmosDB via Subnets and define respective connection string

3
votes

I'm fairly new to azure. I want to build a simple and low cost MongoDB with the Azure Cosmos DB. There I created a VNET with two subnets. Furthermore, I created a public IP address, which should be my endpoint to feed the DB. The first Subnet should act as a firewall (I do not want to use the azure firewall, because it costs at least 720 € per month) with a specific NSG and in the second, the Cosmos DB is connected via an Service endpoint.

Here is an image of my architecture: enter image description here

The Subnet on the left hand side contains firewall-like rules to improve security.

Here is my question: How can I connect / route from the public endpoint to the CosmosDB via the Subnets. Therefore, I do not want to use VNA / VMs, because with them come a lot of additional work to secure them. And when the connection is established, do I have to change the connection string created by the CosmosDB?

1
azureazure-cosmosdbvnet
docs.microsoft.com/en-us/azure/cosmos-db/vnet-service-endpointThomas
Thank you for the pointer, but I already read it. Maybe I oversee something, but there is not explicitly stated how I connect/route the CosmosDB thourgh a Public IP endpoint and a Subnet, where the CosmosDB has no Service endpoint. Or is the architecture in picture not possible without furhter components like VNA?Lau

1 Answers

2
votes

You will need a mechanism for forwarding traffic from the public IP address to the Cosmos DB account. Azure Application Gateway supports that and costs less than €20.00 per month depending on traffic.

Application Gateway could be setup like,

  • Add a public IP address for the front end.
  • Add the Cosmos DB account FQDN as the back end.
  • Create a routing rule to direct HTTPS traffic from the public IP to the Cosmos DB backend.

This modified version of your architecture would be:

Cosmos DB service endpoint with Application Gateway