az cosmosdb show --name <account-name> --resource-group <resource-group>Cosmos DB private endpoint
A Cosmos DB private endpoint uses Azure Private Link to expose a Cosmos DB account through private IP addresses in a virtual network. Microsoft Learn explains that this lets teams restrict access to private paths and reduce public exposure for database clients and administrative connections.
Source: Microsoft Learn - Configure Azure Private Link for Azure Cosmos DB Reviewed 2026-05-31
- Exam trap
- Disabling public access before private DNS works from every application subnet and on-premises resolver.
- Production check
- Resolve the Cosmos DB account FQDN from the application subnet and confirm it returns private IP addresses.
Article details and learning context
- Aliases
- None listed
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-31
- Review level
- field-manual-complete
- Article depth
- field-manual-complete
Understand the concept
In plain English
A Cosmos DB private endpoint gives applications a private network path to a Cosmos DB account instead of sending database traffic to the public endpoint. It creates a private IP address in a subnet and uses Private Link so clients inside approved networks can reach the account through that address. Teams use it when a database should be reachable from workloads in a virtual network, peered network, hub, or on-premises path without leaving the private network design.
Why it matters
Cosmos DB private endpoint matters because database exposure is one of the easiest cloud risks to misunderstand. Disabling public network access is not enough if clients still resolve DNS incorrectly, use the wrong region, or bypass the private path with old configuration. A good private endpoint design reduces public attack surface, supports regulated network boundaries, and gives security teams a concrete artifact to audit. It also changes operations: subnet capacity, DNS zones, regional account changes, SDK endpoints, and firewall policies must be managed together. For learners, this term explains why private connectivity is not only a checkbox; it is a routed, resolvable, monitored path to a production database.
Technical context
Technically, a Cosmos DB private endpoint is an Azure Private Endpoint resource connected to a Cosmos DB account subresource. It depends on a subnet, network interface, private DNS zone, virtual network links, and the Cosmos DB account network configuration. The Cosmos DB API, region, failover settings, consistency, request units, and SDK behavior still belong to the database design; the private endpoint controls the network path. Operators must validate DNS resolution because clients need the account name to resolve to private IP addresses from the right networks.
Exam context
Compare with
Where it is used
Where you see it
- In the Cosmos DB networking blade, private endpoint connections show approval state, target subresource, private IP, virtual network, DNS integration, and whether public network access remains enabled.
- In Private DNS zones, records for the Cosmos DB account must resolve to private addresses from every linked virtual network that hosts consuming applications and test agents.
- In SDK diagnostics and application logs, connection failures, DNS mismatches, timeouts, retry storms, resolver differences, or unexpected public endpoint attempts reveal private endpoint configuration problems.
Common situations
- Lock down a production Cosmos DB account so application traffic reaches it only through approved virtual networks and Private Link.
- Support regulated workloads where auditors require evidence that database access does not depend on public network exposure.
- Connect AKS, App Service, Functions, or virtual machines to Cosmos DB through hub-spoke private networking and private DNS.
- Prepare a public-access shutdown by proving DNS, endpoint approval, and application connectivity from every consuming subnet.
- Reduce data-exfiltration risk by combining private endpoints with restrictive keys, RBAC, policy, logging, and change approval.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Legal document platform lockdown A legal SaaS provider removed public database exposure before onboarding enterprise clients.
A legal document review platform stored case metadata in Cosmos DB and served attorneys across several jurisdictions. Enterprise prospects rejected the architecture because the database account still allowed public network access with IP restrictions.
- Route production database traffic only through approved private networks.
- Pass client security review without changing the application data model.
- Cut database connectivity incident triage from hours to minutes.
- Prove endpoint, DNS, and public access posture for each tenant environment.
The platform team created Cosmos DB private endpoints in the hub virtual network used by App Service integrated workloads and background processors. Private DNS zones were linked to each spoke network, and public network access was disabled only after command-line DNS checks passed from every application subnet. The security team removed shared troubleshooting IP allowlists, rotated database keys, and added alerts for account networking changes. Operators documented the private endpoint IPs, DNS records, account resource ID, and test queries in the release runbook. Application Insights correlation confirmed that database failures after cutover were authorization issues, not public endpoint fallbacks.
- Public database exposure findings dropped from eight per review cycle to zero.
- Three enterprise client onboarding reviews were completed 40 percent faster.
- Connectivity triage time fell from two hours to 18 minutes using endpoint and DNS evidence.
- No tenant-facing outages occurred during the staged public access shutdown.
Cosmos DB private endpoints make secure database access reviewable when the network, DNS, and database teams need the same proof.
Scenario 02 Multiplayer game inventory protection A game studio isolated player inventory data while keeping global traffic responsive.
A multiplayer game stored player inventory and entitlement documents in Cosmos DB. A new anti-fraud requirement forced the studio to prove that backend services in AKS reached the database through private addresses only.
- Move AKS backend database calls onto Private Link without interrupting live matches.
- Keep p95 inventory lookup latency below 45 milliseconds in the primary region.
- Remove temporary public IP allowlists created during a previous tournament launch.
- Create repeatable checks for regional cluster and database failover tests.
Network engineers added Cosmos DB private endpoints in the game services virtual network and linked the private DNS zone to each AKS cluster network. The application team validated SDK connection behavior from pods and confirmed that inventory queries still used the closest Cosmos DB region. Public network access was disabled after staged canary pods passed DNS, route, and request diagnostics. CLI scripts exported endpoint state, DNS records, and Cosmos DB account settings before every tournament change window. Alerts tracked unexpected public endpoint attempts, DNS changes, throttling, and regional failover events so game operations could separate network incidents from RU pressure.
- Temporary public allowlists were removed from four production accounts.
- Inventory lookup p95 stayed at 37 milliseconds during the next tournament weekend.
- Regional failover rehearsal validation time dropped from 90 minutes to 24 minutes.
- Fraud-platform auditors accepted one evidence package instead of three follow-up meetings.
Private endpoints let high-volume Cosmos DB workloads satisfy network isolation requirements without confusing them with database throughput design.
Scenario 03 Utility outage operations network An energy utility kept outage records reachable from private field-service systems.
An energy utility used Cosmos DB to store outage events consumed by dispatch portals and field-service APIs. Public endpoint dependencies complicated disaster exercises because field networks used private routing through ExpressRoute.
- Keep outage data access on private network paths from field-service environments.
- Validate DNS behavior from Azure and on-premises resolvers before storm season.
- Reduce change risk when adding a secondary Cosmos DB region.
- Give incident commanders a quick way to identify network versus database failures.
The cloud networking team deployed Cosmos DB private endpoints for the primary and secondary access paths and integrated private DNS with the utility resolver chain. ExpressRoute-connected field systems resolved the Cosmos DB account to private addresses, while Azure-hosted dispatch APIs used linked virtual networks. When a secondary region was added, the team updated endpoint and DNS evidence before enabling failover drills. Runbooks included CLI commands to show endpoint state, DNS records, account regions, and public network access. Azure Monitor alerts separated DNS resolution failures, private endpoint changes, request throttling, and SDK retry spikes during storm-response simulations.
- Storm-season readiness testing found DNS drift in 12 minutes instead of half a day.
- Secondary-region onboarding finished two weeks before the operations freeze.
- Dispatch API availability remained above 99.96 percent during the first major storm.
- Incident bridge escalations to the database team dropped by 35 percent.
Cosmos DB private endpoints are most valuable when private network evidence must hold up during real operational pressure.
Azure CLI
I use Azure CLI for Cosmos DB private endpoints because the portal hides too many moving parts across different blades. In a real outage, I need to prove the Cosmos DB account setting, endpoint approval state, subnet, private IP, DNS zone records, virtual network links, and public network access quickly. CLI gives repeatable evidence that can be pasted into a change ticket or incident timeline. After ten years of Azure operations, I have seen private endpoint issues caused by DNS more often than by the endpoint resource itself. Command-line checks force the team to inspect the full path instead of arguing from memory.
Useful for
- List Cosmos DB accounts and private endpoint connections before disabling public network access.
- Show private endpoint IP addresses and target subresources for a database connectivity investigation.
- Inspect private DNS records and virtual network links when applications resolve the public endpoint unexpectedly.
- Export account networking settings as audit evidence for a regulated workload review.
- Compare private endpoint configuration across development, test, and production subscriptions before a release.
Before you run a command
- Confirm tenant, subscription, resource group, Cosmos DB account name, API, region, subnet, and private DNS zone.
- Check permissions for both database resources and network resources because separate teams often own them.
- Avoid changing public network access until DNS resolution from every consuming environment has been tested.
- Understand that deleting a private endpoint or DNS record can break live application traffic immediately.
- Use JSON output for evidence because endpoint IDs, group IDs, private IPs, and zone links matter.
What the output tells you
- Cosmos DB account output shows whether public network access and consistency or region settings match the design.
- Private endpoint output identifies the subnet, private IP, connection state, group ID, and target resource ID.
- Private DNS output shows whether the account name resolves to private addresses from linked virtual networks.
- Provisioning and approval states help separate incomplete endpoint deployment from application-level database errors.
- Resource IDs prove whether the application, endpoint, DNS zone, and database account belong to the expected environment.
Mapped commands
Cosmos DB operations
directaz network private-endpoint list --resource-group <resource-group>az network private-dns zone list --resource-group <resource-group>az cosmosdb update --name <account-name> --resource-group <resource-group> --public-network-access DisabledArchitecture context
Architecturally, I treat a Cosmos DB private endpoint as the data access boundary between application networks and a globally distributed database account. It belongs in the same conversation as hub-spoke routing, private DNS, AKS or App Service integration, on-premises connectivity, region failover, and public network access. The endpoint itself does not make queries faster or fix partition design, but it defines where the database can be reached. In mature environments, every private endpoint has an owner, subnet plan, DNS registration, monitoring signal, and disaster-recovery story. The design must also account for multiple APIs, multiple regions, and client libraries that cache or resolve endpoints differently during incidents.
- Security
- Security is the main reason to use a Cosmos DB private endpoint. It lets teams keep database traffic on private IP paths and combine that with public network access restrictions, Azure RBAC or keys, managed identities where supported, diagnostic logs, and policy controls. The biggest mistakes are leaving public access open, misconfiguring private DNS, granting broad account keys, and assuming subnet presence equals authorization. Operators should know who can create endpoints, approve connections, change DNS links, list keys, or modify account networking. Sensitive workloads should monitor denied requests, unexpected public endpoint attempts, and private endpoint changes as security events. Review every exception.
- Cost
- The private endpoint itself adds networking cost, and the surrounding design can also affect spend through private DNS, network traffic paths, duplicate endpoints, and operational effort. Cosmos DB cost still mainly comes from request units, storage, indexing, regions, backups, and throughput choices, so private connectivity should not hide poor data design. However, a misconfigured endpoint can generate expensive investigation time, failed deployments, and duplicate nonproduction infrastructure. FinOps reviews should track private endpoints per account and environment, unused endpoints, data transfer patterns, and whether public access exceptions are being kept alive because private DNS was never fixed. Review this during architecture governance.
- Reliability
- Reliability depends on DNS, regional design, subnet availability, and failover behavior. A private endpoint can be healthy while clients fail because their resolver returns public addresses or a stale private zone. Global Cosmos DB accounts need careful planning when regions are added, removed, or failed over, because private endpoint and DNS coverage must match the client access pattern. Operators should test from every consuming subnet, not just from a jump box. During incidents, separate database throttling, DNS failures, route issues, and private endpoint approval problems. Recovery plans should include DNS validation, connection-string review, SDK retry behavior, and fallback expectations. Rehearse failover carefully.
- Performance
- A private endpoint does not change Cosmos DB partitioning, RU consumption, or query engine behavior, but it can affect perceived performance through DNS, routing, connection reuse, and network path length. Clients that resolve inconsistently may show intermittent latency or failures that look like database throttling. Operators should compare SDK diagnostics, request charge, status codes, retry counts, DNS answers, and network timing before blaming Private Link. Regional placement matters because a private path from one virtual network to a distant account region can still be slow. Performance tests should run from the same subnet, resolver, and application runtime used in production.
- Operations
- Operators manage Cosmos DB private endpoints by inspecting the account networking blade, private endpoint connections, subnet configuration, private DNS zones, virtual network links, and client-side name resolution. Routine work includes confirming approval state, checking public network access, validating DNS from workload subnets, exporting endpoint evidence for audits, and reviewing logs for failed requests. Changes require coordination between database owners, network teams, security engineers, and application teams. A good runbook includes the account name, API, regions, private DNS zone, endpoint IPs, affected apps, rollback path, and tests to run before and after disabling public access. Keep ownership visible in diagrams and support tickets.
Common mistakes
- Disabling public access before private DNS works from every application subnet and on-premises resolver.
- Creating the private endpoint in the wrong virtual network or subnet because names look similar across environments.
- Assuming Private Link replaces database authorization, key rotation, RBAC review, or application authentication.
- Forgetting to update private endpoint and DNS planning when Cosmos DB regions or APIs change.
- Troubleshooting RU throttling as a network issue, or troubleshooting DNS failure as a database performance issue.