Skip to content

Issue #246 CosmosDB Endpoints Security Network

Arturo Hernandez [EPAM] requested to merge 246-ah/network_cosmosdb_pe into master

All Submissions:

  • [YES] Have you added an explanation of what your changes do and why you'd like us to include them?
  • [YES] I have updated the documentation accordingly.
  • [YES] My code follows the code style of this project.

Current Behavior or Linked Issues

CosmosDB accounts are reachable by osdu services through internet, this can lead to performance issues and security vulnerabilities.

Does this introduce a breaking change?

  • [YES]

It is not breaking change per-se, but certainly requires manual intervention to restart services (flush cache for pods). And it is required to finish 3 stages upgrade in one single maintenance window, more details on the upgrade guide for private endpoints in the cosmos section.

Expect downtime of ~20m which is the time that it takes for azure to build the private endpoints per cosmosdb account.

Other information

I didn't found a workaround to avoid downtime, was thinking about using different subnet in the meantime while the private endpoint creation was getting finished, however, private dns zone it is attached at network level, meaning that it will affect to all the subnets.

In anycase if somehow the subnet can be avoided to use the private dns zone for cosmos and we can transfer workloads to that subnet, I think that would be ideal to avoid downtime, however, just an idea, not enough time to test it on our side.

Closes #246 (closed)

Merge request reports