azureazure-cosmosdbazure-private-link
Azure : Web App that connects to Cosmos DB using Private Endpoint returns 'The SSL connection could not be established, see inner exception.'
I have a Web App deployed in Azure that connects to Cosmos DB using Private Endpoint throws the following error
'The SSL connection could not be established, see inner exception.'
The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
Cosmos DB
Private Endpoint
Private DNS Entry
Web App configuration
Stack Trace:
FBAuthDemoAPI.Controllers.FamilyController: at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)at System.Net.Http.HttpConnectionPool.ConnectAsync(
Solution
I don't know what went wrong. Everything started working after I recreated everything.
sub=poc-hubspoke
rgName=SpokeToSpoke
location=eastus
hubVNetName=vnet-hub-$sub
prodVnetName=vnet-prod-$sub
devVnetName=vnet-dev-$sub
onpremVnetName=vnet-onprem-$sub
rgLogName=Logs
loganalytics="loganalytics"
# Create Resource Group
az group create --name $rgName --location $location
# Create Azure Hub VNET
az network vnet create -g $rgName --name $hubVNetName --address-prefixes 10.11.0.0/16 --location $location
# Create Azure Prod VNET
az network vnet create -g $rgName --name $prodVnetName --address-prefixes 10.13.0.0/16 --location $location
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Management --address-prefix 10.13.1.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name WebApp --address-prefix 10.13.2.0/24 --delegations Microsoft.Web/serverFarms
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name Database --address-prefix 10.13.3.0/24
az network vnet subnet create -g $rgName --vnet-name $prodVnetName --name PrivateEndPoint --address-prefix 10.13.4.0/24 --disable-private-endpoint-network-policies true
# Prod Subnet NSG
az network nsg create -g $rgName -n Prod-Management-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-WebApp-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-Database-subnet -l $location -o table
az network nsg create -g $rgName -n Prod-PrivateEndPoint-subnet -l $location -o table
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Management --network-security-group Prod-Management-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name WebApp --network-security-group Prod-WebApp-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name Database --network-security-group Prod-Database-subnet
az network vnet subnet update -g $rgName --vnet-name $prodVnetName --name PrivateEndPoint --network-security-group Prod-PrivateEndPoint-subnet
# Peering
az network vnet peering create -g $rgName --name HUBtoProd --vnet-name $hubVNetName --remote-vnet $prodVnetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
az network vnet peering create -g $rgName --name ProdtoHUB --vnet-name $prodVnetName --remote-vnet $hubVNetName --allow-vnet-access --allow-forwarded-traffic --allow-gateway-transit
# Create Cosmos Database
CosmosDBRG="CosmosDBRG"
cosmosdbAccount="familydbaccount"
cosmosdbName="FamilyDB"
cosmosCollection="Family"
az group create --name CosmosDBRG --location $location
az cosmosdb create --name $cosmosdbAccount --resource-group $CosmosDBRG
az cosmosdb sql database create --account-name $cosmosdbAccount --resource-group $CosmosDBRG --name $cosmosdbName
az cosmosdb sql container create --account-name $cosmosdbAccount --resource-group $CosmosDBRG --database-name $cosmosdbName --name Family --partition-key-path "/address/zipcode" --throughput 400
privateZoneRG="privateZoneRG"
az group create --name $privateZoneRG --location $location
az network private-dns zone create --name "privatelink.documents.azure.com" --resource-group $privateZoneRG
prodVnetID=$(az network vnet show --resource-group $rgName --name $prodVnetName --query id -o tsv)
az network private-dns link vnet create -n prodVnetPrivateDNSLink -g $privateZoneRG --zone-name "privatelink.documents.azure.com" -v $prodVnetID -e false
privateEndPointRG="privateEndPointRG"
cosmosPEName="FamilyDBAccountPE"
privateendpointconnectionname="FamilyDBPEConnection"
cosmosDBPEZoneGroup="cosmosDBPEZoneGroup"
az group create --name $privateEndPointRG --location $location
privateendpointcosmosid=$(az cosmosdb show --name $cosmosdbAccount --resource-group $CosmosDBRG --query 'id' --output tsv)
prodVnetID=$(az network vnet show --resource-group $rgName --name $prodVnetName --query id -o tsv)
prodPrivateEndPointSubNetID=$(az network vnet subnet show --resource-group $rgName --name PrivateEndPoint --vnet-name $prodVnetName --query id -o tsv)
az network private-endpoint create --name $cosmosPEName --resource-group $privateEndPointRG --subnet $prodPrivateEndPointSubNetID --private-connection-resource-id $privateendpointcosmosid --location $location --connection-name $privateendpointconnectionname --group-id Sql
privateZoneID=$(az network private-dns zone show --name "privatelink.documents.azure.com" --resource-group $privateZoneRG --query "id" -o tsv)
az network private-endpoint dns-zone-group create --name $cosmosDBPEZoneGroup --resource-group $privateEndPointRG --endpoint-name $cosmosPEName --private-dns-zone $privateZoneID --zone-name privatelink.documents.azure.com
appServicePlan="MyAppServicePlan"
webAppRG="WebApps"
prodWorkLoadSubNetID=$(az network vnet subnet show --resource-group $rgName --name WebApp --vnet-name $prodVnetName --query id -o tsv)
az group create --name $webAppRG --location $location
az appservice plan create -g $webAppRG -n $appServicePlan --sku B1
az webapp create -g $webAppRG -p $appServicePlan -n $webAppName --subnet $prodWorkLoadSubNetID
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday