Request is blocked. Please check your authorization token and Cosmos DB account firewall settings
See original GitHub issueDescribe the bug I have a Cosmos DB account with configured IP firewall. I added my current IP to the allowed list. Got error “Request is blocked.” on adding data to a container.
To Reproduce
- Configure IP firewall
- Add current IP
- Use Cosmos SDK to
CreateItem
Expected behavior The response should be successful.
Actual behavior This code can create a database, can create a new container but cannot add items to the container due to 403
Provide a description of the actual behavior observed. System.Exception: ‘Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: 5f7338ca-ed44-45c9-8e34-5871a3546ace; Reason: (Message: {“Errors”:[“Request is blocked. Please check your authorization token and Cosmos DB account firewall settings.”]} ActivityId: 5f7338ca-ed44-45c9-8e34-5871a3546ace, Request URI: /apps/0156f92e-e3ce-40cc-b1ee-be8393bd1b32/services/29e75939-155e-4b51-ba5c-e2efa9dd8d7d/partitions/e9bdb85e-d6a5-44fc-8626-e505b9255756/replicas/132598680007213774p/, RequestStats: Please see CosmosDiagnostics, SDK: Windows/10.0.19042 cosmos-netstandard-sdk/3.15.2);’
Environment summary SDK Version: 3.15.2 OS Version: Windows
Additional context Add any other context about the problem here (for example, complete stack traces or logs).
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (6 by maintainers)
Top GitHub Comments
Thank you very much for this great explanation. It was exactly what I need. Thanks again.
The blocking of the request is not generated by the SDK, the SDK is just materializing the service response, it’s the service the one blocking the request, so we cannot know the reason from the SDK perspective.
There could be a service side issue that is only affecting point operations (CreateItem call) and not metadata operations (CreateDatabase), but we cannot answer that here, this is not a Cosmos DB general support forum, we can only act on SDK bugs or issues.
Technically speaking, the CreateDatabase call is an HTTP call that goes to the Gateway, while the CreateItem is a TCP call that goes to the backend replica address (V3 SDK has Direct mode as default). If the Gateway calls are working and the TCP calls are failing, it could indicate an issue on the service and a support ticket is the best way.
If you disable Firewall and everything works, and you enable Firewall and it fails, then logically, the issue is with Firewall.
In your screenshot, I see you also have VPN enabled, another potential aspect could be the VPN, but again, not an SDK issue.
Portal does not work the same way as the SDK (that is why it has a dedicated checkbox, to whitelist the IPs used by Portal). I am not familiar with Azure Storage Explorer, but it might be just using HTTP requests, not TCP requests, which would map again to the behavior of why the CreateDatabase calls work but the TCP ones fail. Since you have a VPN configured, maybe the VPN is correctly working for HTTP requests but not for TCP requests.