I have a Node Js app which interacts with CosmosDB and which is deployed to a private AKS cluster. I was able to connect to Cosmos DB through a service endpoint in the Cluster VNET/subnet for Cosmos DB by enabling 'selected networks' in Cosmos DB.
I am now trying to close it to private access only via private endpoints.
I disabled public access / so no 'selected networks' any more.
I created a private endpoint and private link to Cosmos DB and integrated it with a Private DNS Zone that is in the same resource group as the Cluster VNET and uses one of the VNET subnets.
When I do nslookup in the cluster from a test pod I can see that the cosmosname.documents.azure.com URI has canonical name = cosmosname.privatelink.documents.azure.com. The address however is a different IP address than the ones in the DNS zone records.
When I try to run the app, I get the error:
Request originated from VNET through service endpoint. This is blocked by your Cosmos DB account firewall settings. What can I do to fix this?