![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 53%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAX%3C/text%3E%3C/svg%3E)
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,612 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi Annie Xue •,
Welcome to Microsoft Q&A forum.
As I understand, you are getting error App service request got 403 by Cosmos.
Please check your network settings at App service so that it allows connection to Azure Cosmos DB.
When a data plane request is blocked with 403 Forbidden, the error message will specify via which of the above three paths the request came to Azure Cosmos DB.
-
Request originated from client IP {...} through public internet. -
Request originated from client VNET through service endpoint. -
Request originated from client VNET through private endpoint.
Understand via which path is the request expected to come to Azure Cosmos DB.
- If the error message shows that the request did not come to Azure Cosmos DB via the expected path, the issue is likely to be with client-side setup. Please double check your client-side setup following documentations.
- Public internet: Configure IP firewall in Azure Cosmos DB.
- Service endpoint: Configure access to Azure Cosmos DB from virtual networks (VNet). For example, if you expect to use service endpoint but request came to Azure Cosmos DB via public internet, maybe the subnet that the client was running in did not enable service endpoint to Azure Cosmos DB.
- Private endpoint: Configure Azure Private Link for an Azure Cosmos DB account. For example, if you expect to use private endpoint but request came to Azure Cosmos DB via public internet, maybe the DNS on the VM was not configured to resolve account endpoint to the private IP, so it went through account's public IP instead.
- If the request came to Azure Cosmos DB via the expected path, request was blocked because the source network identity was not configured to be allowed for the account. Check account's settings depending on the path the request came to Azure Cosmos DB.
- Public internet: check account's public network access and IP range filter configurations.
- Service endpoint: check account's public network access and VNET filter configurations.
- Private endpoint: check account's private endpoint configuration and client's private DNS configuration. This could be due to accessing account from a private endpoint that is set up for a different account.
- Service endpoint: check account's public network access and VNET filter configurations.
- Public internet: check account's public network access and IP range filter configurations.
- Service endpoint: Configure access to Azure Cosmos DB from virtual networks (VNet). For example, if you expect to use service endpoint but request came to Azure Cosmos DB via public internet, maybe the subnet that the client was running in did not enable service endpoint to Azure Cosmos DB.
- Public internet: Configure IP firewall in Azure Cosmos DB.
If you recently updated account's firewall configurations, keep in mind that changes can take up to 15 minutes to apply.
Let us know if this helped.
Awaiting your reply.
Refer: https://video2.skills-academy.com/en-us/azure/cosmos-db/nosql/create-website
Thanks