I recently connected our CosmosDB to a virtual network, but after doing so I encountered an error when trying to execute an action that normally works:
Microsoft.Azure.Cosmos.CosmosException : Response status code does not indicate success: Forbidden (403); Substatus: 0;
RequestUri: https://xxxxx.sqlx.cosmos.azure.com/
I changed the connection string to use documents.azure.com, and the forbidden error went away - at this point, CosmosDB is now working on the virtual network. However, by changing my connection string I have lost connection to the Dedicated Gateway. I would like to continue using Dedicated Gateway, but the 403 error is currently preventing that.
The only clue I've found is this outdated post (https://github.com/MicrosoftDocs/azure-docs/issues/83467) mentioning a limitation that Dedicated Gateway and a Virtual Network cannot be used together, however that limitation has since been removed from the official documentation (https://learn.microsoft.com/en-us/azure/cosmos-db/dedicated-gateway#limitations). Is this limitation still in effect, and is this why I can't use the two together? Or could it be something else?
When setting up the private endpoint on the cosmos database, you need to pick 'SqlDedicated' as the target sub-resource. The problem was solved by creating a new private endpoint with this setting - and by using the sqlx.cosmos.azure.com endpoint for the dedicated gateway, of course.