Forbidden Exceptions – Nonrelational Databases in Azure
Forbidden Exceptions
Forbidden exceptions occur when a data plane request comes from an application whose IP address is not whitelisted by the Azure Cosmos DB firewall or cannot communicate with the VNet the Azure Cosmos DB account is associated with. These exceptions are represented by 403 status codes.
Solutions to this error depend on if the application request comes from an IP address that can communicate with the Azure Cosmos DB account. They will also depend on what type of network isolation the account is using. Use the following recommendations if the application request is coming from an expected path:
- If the Azure Cosmos DB account is using the firewall, check to make sure the request’s IP address is whitelisted in the Azure Cosmos firewall or is coming from a subnet with the Azure Cosmos DB service endpoint enabled.
- If the Azure Cosmos DB account is using a private endpoint, then make sure that the request’s IP address can communicate with the VNet the private endpoint is associated with.
If the application request is not coming from an expected path, the issue is likely related to the application-side configuration. Use the following guidance to troubleshoot the issue depending on the type of network isolation the account is using:
- If an application request was expected to use a service endpoint but uses the public Internet instead, then check to see if the subnet the application’s IP address is in has enabled the Azure Cosmos DB service endpoint.
- If an application request was expected to come through a private endpoint but instead comes from the public Internet, then check to see if the DNS the application is using can resolve the account endpoint to the private IP address associated with the private endpoint.
Management Tools
Azure offers two Azure Cosmos DB management tools that developers can use to write and test queries before adding them to applications. Data Explorer and the Azure Cosmos DB Explorer give developers and administrators the ability to create new resources and manage existing resources as well as optimize the cost-performance ratio for throughput. The following sections describe each of these tools in further detail.
Data Explorer
Data Explorer is a development environment available in the Azure Portal for querying and managing Azure Cosmos DB. It can be used to create and delete resources such as databases, containers, stored procedures, user-defined functions, and triggers. Developers can use query windows, like those in SSMS and Azure Data Studio, to write SQL statements that read, write, or delete data.