Azure Mongo vcore private endpoint not created, or not working as expected

Question

Azure Mongo vcore private endpoint not created, or not working as expected

zeenmc 0

Hello team,

I am trying to configure Mongo vCore with private endpoints and not allowed public traffic.
I am really confused because of documentation.

I found there is Azure Module which approved by Azure and TF for creating vCore with private access, but still our access is not working.

I guess srv DNS record is not working and we are not able to connect on it.

module
  
version
name
location
resource_group_name
administrator_login
administrator_login_password
compute_tier
storage_size_gb
server_version
shard_count
public_network_access
private_endpoints
aks-pe
name
subnet_resource_id
private_dns_zone_name
private_dns_zone_resource_ids
registration_enabled
    }
  }

and we get records in private zone: privatelink.mongocluster.cosmos.azure.com

fc-ad4xxxxxcac0-000                     A         10.x.x.5 
fc-ad4xxxxxcac0-000.global              A         10.x.x.5 
fc-ad4xxxxxcac0-000.ro.global           A         10.x.x.5

Here is Azure module, https://registry.terraform.io/modules/Azure/avm-res-documentdb-mongocluster/azurerm/latest

Now I am trying to create by terrafrom ARM provider 4.56.0 (I think is latest) but after creation, I don't have records in our private DNS zone.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mongo_cluster#arguments-reference

with below code, I get private endpoint, but without records.
Not sure what I am missing.

resource

resource "azurerm_mongo_cluster" "mongo_vcore" {
#   name                   = "mongo-vcore-${var.client}-${var.env}"
#   resource_group_name    = azurerm_resource_group.rg.name
#   location               = azurerm_resource_group.rg.location
#   administrator_username = "admxxxxxxxxrm"
#   administrator_password = "QAxxxxxxxfg"
#   shard_count            = "1"
#   compute_tier           = "M20"
#   high_availability_mode = "Disabled"
#   storage_size_in_gb     = "32"
#   version =  "7.0"
# }

# resource "azurerm_private_dns_zone" "mongo" {
#   name                = "privatelink.mongo.cosmos.azure.com"
#   resource_group_name = azurerm_resource_group.rg.name
# }
# resource "azurerm_private_dns_zone_virtual_network_link" "mongo" {
#   name                  = "mongo-vnet-link-${var.client}-${var.env}"
#   resource_group_name   = azurerm_resource_group.rg.name
#   private_dns_zone_name = azurerm_private_dns_zone.mongo.name
#   virtual_network_id    = azurerm_virtual_network.vnet.id
# }

# resource "azurerm_private_endpoint" "mongo" {
#   name                = "pe-mongo-vcore-${var.client}-${var.env}"
#   location            = azurerm_resource_group.rg.location
#   resource_group_name = azurerm_resource_group.rg.name
#   subnet_id           = azurerm_subnet.private_endpoints.id
#   private_service_connection {
#     name                           = "mongo-connection-${var.client}-${var.env}"
#     private_connection_resource_id = azurerm_mongo_cluster.mongo_vcore.id
#     subresource_names              = ["MongoCluster"]
#     is_manual_connection           = false
#   }

#   private_dns_zone_group {
#     name                 = "mongo-dns"
#     private_dns_zone_ids = [azurerm_private_dns_zone.mongo.id]
#   }
# }

If you have any idea how to assist me, I will appreciate :)

I have commented code as without # my code is not formatted good.

5 answers

Your answer

Answer 1

It seems you are experiencing issues with the configuration of private endpoints for your Azure Mongo vCore setup. Here are some steps to troubleshoot the connectivity and DNS resolution issues you are facing:

Verify Private Endpoint Configuration: Ensure that your private endpoint is correctly configured and that the connection state is Approved. You can do this by checking the Private Link Center in the Azure portal.
DNS Configuration: Since you mentioned that you suspect the SRV DNS record is not working, confirm that the private DNS zone is properly integrated with your virtual network. You can check the DNS configuration on the private endpoint to ensure that the Private DNS zone is linked to the virtual network.
Private DNS Zone Entries: Make sure that the necessary DNS records are created in your private DNS zone. You should have entries for the FQDNs that correspond to your private endpoint. If they are missing, you may need to recreate the private endpoint with DNS integration enabled.
Testing DNS Resolution: Use the nslookup command on a VM within the same virtual network to check if the FQDN resolves to the correct private IP address assigned to the private endpoint. This will help you confirm whether DNS resolution is functioning as expected.
Check Azure Monitor: Utilize Azure Monitor to check if data is flowing through the private endpoint. This can help you identify if the issue is related to connectivity or DNS resolution.
Review Terraform Configuration: Ensure that your Terraform configuration is correctly set up to create the private endpoint and DNS records. Double-check the parameters related to private DNS zone integration in your Terraform scripts.

If you follow these steps and still face issues, consider reaching out to Azure support for more detailed assistance specific to your configuration.

Answer 2

Hi Nedeljko Scepanovic,
Your MongoDB vCore private endpoint creates the connection but misses DNS records because the private_dns_zone_group needs a zone_name = "mongocluster" parameter, and subresource_names must be lowercase ["mongocluster"] (not "MongoCluster").

Fixed Terraform Code:

text
resource "azurerm_private_endpoint" "mongo" {
  name                = "pe-mongo-vcore-${var.client}-${var.env}"
  location            = azurerm_resourcegroup.rg.location
  resource_group_name = azurerm_resourcegroup.rg.name
  subnet_id           = azurerm_subnet.private_endpoints.id

  private_service_connection {
    name                           = "mongo-connection-${var.client}-${var.env}"
    private_connection_resource_id = azurerm_mongo_cluster.mongo_vcore.id
    subresource_names              = ["mongocluster"]
    is_manual_connection           = false
  }

  private_dns_zone_group {
    name                 = "mongo-dns"
    private_dns_zone_ids = [azurerm_private_dns_zone.mongo.id]
    zone_name            = "mongocluster"  # This creates the SRV/A records
  }
}

DNS Zone:
Your privatelink.mongo.cosmos.azure.com zone is correct. After terraform apply, expect these auto-created records:

fc-ad4xxxxxcac0-000.mongocluster → 10.x.x.5

fc-ad4xxxxxcac0-000.global → 10.x.x.5

fc-ad4xxxxxcac0-000.ro.global → 10.x.x.5

Test Connection

From VNet VM:

bash
nslookup fc-ad4xxxxxcac0-000.mongocluster.privatelink.mongo.cosmos.azure.com
# Should return 10.x.x.5

mongo "mongodb+srv://adminTerraform:******@mongo-vcore-xxx.privatelink.mongo.cosmos.azure.com/?tls=true"

Hope this helps! Let me know if there’s more info you can share so I can assist you further.

Answer 3

@Pilladi Padma Sai Manisha

Thank you for your kind reply,

I see there is some mistake in your reply.

I managed to get proper terraform configuration with TF ARM provider, but still without SRV record, not sure is it possible to get it anyway.

In my provider's ver. which is 4.56.0 is not supporting option zone_name in PE configuration.

Also in my TF configuration I realized it was not correct private zone.
How I managed to fix issue ?

Just reverse engineering.

I have created Mongo vCore instance with terrafrom and added private endpoint via Azure Portal.

I guess, from AKS/Azure VNET we need to use mongodb://, and from outside we can use also srv record. As AKS will behind private endpoint, and it is not planned Mongo access to be public, I guess we will not use srv record anyway.

@Pilladi Padma Sai Manisha please verify my answer. I guess here is problem with not updated documentations. For example in Azure private dns list I wasn't able to find dns zone
privatelink.mongocluster.cosmos.azure.com.

resource "azurerm_mongo_cluster" "mongo_vcore" {
  name                   = "mongo-vcore-${var.client}-${var.env}"
  resource_group_name    = azurerm_resource_group.rg.name
  location               = azurerm_resource_group.rg.location
  administrator_username = "adxxxxxxorm"
  administrator_password = "QAzzzzzdfg"
  shard_count            = "1"
  compute_tier           = "M20"
  high_availability_mode = "Disabled"
  storage_size_in_gb     = "32"
  version =  "7.0"
}

resource "azurerm_private_dns_zone" "mongo" {
  name                = "privatelink.mongocluster.cosmos.azure.com"
  resource_group_name = azurerm_resource_group.rg.name
}


resource "azurerm_private_dns_zone_virtual_network_link" "mongo" {
  name                  = "mongo-vnet-link-${var.client}-${var.env}"
  resource_group_name   = azurerm_resource_group.rg.name
  private_dns_zone_name = azurerm_private_dns_zone.mongo.name
  virtual_network_id    = azurerm_virtual_network.vnet.id
}


resource "azurerm_private_endpoint" "mongo" {
  name                = "pe-mongo-vcore-${var.client}-${var.env}"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  subnet_id           = azurerm_subnet.private_endpoints.id

  private_service_connection {
    name                           = "mongo-connection-${var.client}-${var.env}"
    private_connection_resource_id = azurerm_mongo_cluster.mongo_vcore.id
    subresource_names              = ["MongoCluster"]
    is_manual_connection           = false
  }

  private_dns_zone_group {
    name                 = "mongo-dns"
    private_dns_zone_ids = [azurerm_private_dns_zone.mongo.id]
  }
}

Pilladi Padma Sai Manisha 2,465 Reputation points Microsoft External Staff Moderator

2025-12-18T20:00:02.45+00:00

Hi Nedeljko Scepanovic,
Thanks for the detailed update the behavior you’re seeing is expected. Azure Cosmos DB for MongoDB vCore uses a different Private DNS zone than the older RU‑based Mongo API. The correct zone for vCore is:

privatelink.mongocluster.cosmos.azure.com

So the reason Terraform didn’t create the DNS records automatically is due to outdated documentation plus the fact that provider version 4.56.0 does not support the old zone_name parameter. For vCore, Terraform only wires DNS when you explicitly attach the zone using a private_dns_zone_group on the Private Endpoint.

Your manual test creating the Private Endpoint in the Portal and then reverse‑engineering the DNS zone is actually correct. Once the Private DNS zone is linked to your VNet, the A records appear as expected.

Also, because your AKS / VNet traffic stays private and public access is disabled, relying on SRV records is not recommended. In vCore private‑only setups, use the non‑SRV connection string pointing to the FQDN in the private zone.

Your Terraform config was fine the missing DNS was due to the wrong zone name and provider limitations.

The correct zone is privatelink.mongocluster.cosmos.azure.com for vCore.

Using non‑SRV connection strings is the right choice when everything sits behind a Private Endpoint.

Answer 4

zeenmc 0

Hello @Pilladi Padma Sai Manisha , I would to ask you for more assistance. Code what I wrote in my peronal laptop, and used in my personal Azure is working fine with public accessible AKS. But when I tried to implement same code in work azure account, I got same behavior as with Azure verified module for Mongo vCore. Just Mongo is not working, I am able to resolve privatelink dns record, but not able to connect on Mongo db.

Difference between my own env is:

work related AKS is private, behind private endpoint and also using overlay network for pods
My AKS in my private Azure, is public accessible, it is NOT behind private endpoint, and is using Azure CNI for VNET.

Please assist, I have tried to many things, and I am lost. Strange, just I am scared this is because outdated documentation, and I had this issues in past, just I am blind :(.
Ned.

Pilladi Padma Sai Manisha 2,465 Reputation points Microsoft External Staff Moderator

2025-12-19T00:57:36.01+00:00

Hi Nedeljko Scepanovic,
Thanks again for all the details you shared it really helps narrow things down. Since you’re seeing different behavior between your personal AKS setup and the work AKS environment, here’s a clear plan we can follow together to get this resolved:

Confirm DNS resolution from inside the AKS pod Let’s verify that your pod can resolve the private FQDN of the Mongo vCore cluster (from your earlier tests, DNS seems OK, but let’s confirm inside the pod).

Run a quick: nslookup <your-mongocluster.private.fqdn> If this returns the private 10.x.x.x IP, DNS is fine.

Check network path from the AKS nodes to the Private Endpoint In overlay networking, the actual traffic originates from the node, not the pod.

If the node subnet has NSG/UDR rules, those might be blocking port 27017 to the Private Endpoint.

We just need to confirm outbound from node subnet > PE subnet is allowed.

Verify the Private DNS zone is linked to the AKS node VNet Sometimes the private zone ends up linked only to a hub or another VNet.

The zone privatelink.mongocluster.cosmos.azure.com must be linked to the exact VNet your AKS nodes live in.

Check if any firewall / NVA is intercepting egress If the work environment uses forced tunneling or an NVA firewall, traffic may bypass the Private Endpoint path.

If routing is sending the request outside the VNet, the Private Endpoint will reject it.

Use the non‑SRV connection string Since you're on Private Endpoint only, sticking to the non‑SRV connection string avoids DNS SRV lookup issues.

We will keep using the FQDN entries from the private zone.

Share the exact error message from the AKS pod A timeout vs TLS handshake vs auth error tells us exactly which layer is failing.

Once you share that, we can pinpoint the next step quickly.
Pilladi Padma Sai Manisha 2,465 Reputation points Microsoft External Staff Moderator

2025-12-20T00:32:24.67+00:00

Hi Nedeljko Scepanovic,
I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
zeenmc 0 Reputation points

2025-12-20T00:53:40.7033333+00:00

Hello Pilladi Padma Sai Manisha,
I tried a few things but without success. In my private Azure I applied same configuration, and I got same behavior as in work related AKS.

Private AKS (Private API)
overlay network with Cilium

No NSG groups created by me, only for AKS nodes which was created automatically
No routing tables created by me
I tried as outbound traffic with Loadbalancer and NAT gateway, same behaivor
I have tried private AKS with Azure CNI, same behavior.

When is AKS API private, I am not able to connect to Mongo vCore also over VM which is in same VNET but not Kubernets node.

In the morning I will try steps what you requested.
Thank you for your support.

zeenmc 0

Hello Pilladi Padma Sai Manisha,

No progress from my side. When I tried to bring up whole infra which worked in past in my private azure, didn't work, as I am tired because of this, probably I missed something when I tried to test working setup before I change AKS to be private.

What is interesting, I have tested Redis, same setup, private end point, and Redis is working fine. I have checked Mongo vCore with Network Watcher, which is saying:

Screenshot_2025-12-21_22-03-47

In screenshot, I used 27017, but same result is for 10255, but anyway, I think 27017 is used by Mongo vCore.

Regarding Redis validation, below results are positive, means, Redis is working, I have tried from VM. With Mongo vCore 0 success :(.

admintestadmin@vm-jump-aks:~$ nc -vz redis-xxxxxxxdev.privatelink.redis.cache.windows.net 6380
Connection to redis-xxxxxxxx-dev.privatelink.redis.cache.windows.net (10.0.4.4) 6380 port [tcp/*] succeeded!

admintestadmin@vm-jump-aks:~$ openssl s_client -connect redis-xxxxxxx-dev.redis.cache.windows.net:6380
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 08
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = *.redis.cache.windows.net
verify return:1
---
Certificate chain
 0 s:C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = *.redis.cache.windows.net
   i:C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 08

admintestadmin@vm-jump-aks:~$ nslookup redis-xxxxxx-dev.redis.cache.windows.net
Server:         127.0.0.53
Address:        127.0.0.53#53
Non-authoritative answer:
redis-xxxxx-dev.redis.cache.windows.net    canonical name = redis-ai-factory-dev.privatelink.redis.cache.windows.net.
Name:   redis-xxxxxxxx-dev.privatelink.redis.cache.windows.net
Address: 10.0.4.4

Here you can find a few terraform files which are important for this issue.
https://gitlab.com/brokenbyte-iac/tf-infra

Please assist me with this, as I am loosing my mind...
Ned.

EDIT:
I realized Redis PE is using different subnet compared to Mongo, just to be sure, I have changed subnet just to be sure is there some issue, but result is same. Redis is working, Mongo NOT.

Now, both services use same subnet for PE interfaces: 10.0.3.0/24

I am thinking to see can I open ticket with Azure/Github etc...not so sure does company azure has access to support, and I don't have access to clients azure which has.

admintestadmin@vm-jump-aks:~$ nslookup redis-xxxxxxx-dev.privatelink.redis.cache.windows.net
Server:         127.0.0.53
Address:        127.0.0.53#53
Non-authoritative answer:
Name:   redis-xxxxxxxxx-dev.privatelink.redis.cache.windows.net
Address: 10.0.3.4
admintestadmin@vm-jump-aks:~$ nslookup fc-cb831659c834-000.global.privatelink.mongocluster.cosmos.azure.com
Server:         127.0.0.53
Address:        127.0.0.53#53
Non-authoritative answer:
Name:   fc-cb831659c834-000.global.privatelink.mongocluster.cosmos.azure.com
Address: 10.0.3.5
admintestadmin@vm-jump-aks:~$ 
admintestadmin@vm-jump-aks:~$ 
admintestadmin@vm-jump-aks:~$ nc -vz redis-xxxxxxx-dev.privatelink.redis.cache.windows.net 6380
Connection to redis-xxxxxx-dev.privatelink.redis.cache.windows.net (10.0.3.4) 6380 port [tcp/*] succeeded!
admintestadmin@vm-jump-aks:~$ 
admintestadmin@vm-jump-aks:~$ 
admintestadmin@vm-jump-aks:~$ openssl s_client \
  -connect redis-xxxx-dev.privatelink.redis.cache.windows.net:6380
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure RSA TLS Issuing CA 08
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = *.redis.cache.windows.net
verify return:1
---

Answer 5

I had chat with my Lead, and I guess everything was working fine, but I used wrong connection string.

As per documentation Private link doesn't support SRV record, and I ddin't try to use it. I guess azure documentation is not up to date, I don't have other idea how I managed to miss this. Anyway on the end this is solution if someone has problems in future. I used terraform vcore resources and also with Azure provided module.
This is working connection string:

mongodb+srv://asomeuser:******@mongo-vcore.global.mongocluster.cosmos.azure.com/?tls=true&authMechanism=SCRAM-SHA-256&retrywrites=false&maxIdleTimeMS=120000

Share via

Azure Mongo vcore private endpoint not created, or not working as expected

5 answers

Your answer