Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Request is blocked. Please check your authorization token and Cosmos DB account firewall settings
See original GitHub issueDescribe the bug I have a Cosmos DB account with configured IP firewall. I added my current IP to the allowed list. Got error “Request is blocked.” on adding data to a container.
To Reproduce
- Configure IP firewall
- Add current IP
- Use Cosmos SDK to
CreateItem
Expected behavior The response should be successful.
Actual behavior
This code can create a database, can create a new container but cannot add items to the container due to 403
Provide a description of the actual behavior observed. System.Exception: ‘Response status code does not indicate success: Forbidden (403); Substatus: 0; ActivityId: 5f7338ca-ed44-45c9-8e34-5871a3546ace; Reason: (Message: {“Errors”:[“Request is blocked. Please check your authorization token and Cosmos DB account firewall settings.”]} ActivityId: 5f7338ca-ed44-45c9-8e34-5871a3546ace, Request URI: /apps/0156f92e-e3ce-40cc-b1ee-be8393bd1b32/services/29e75939-155e-4b51-ba5c-e2efa9dd8d7d/partitions/e9bdb85e-d6a5-44fc-8626-e505b9255756/replicas/132598680007213774p/, RequestStats: Please see CosmosDiagnostics, SDK: Windows/10.0.19042 cosmos-netstandard-sdk/3.15.2);’
Environment summary SDK Version: 3.15.2 OS Version: Windows
Additional context Add any other context about the problem here (for example, complete stack traces or logs).
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thank you very much for this great explanation. It was exactly what I need. Thanks again.
The blocking of the request is not generated by the SDK, the SDK is just materializing the service response, it’s the service the one blocking the request, so we cannot know the reason from the SDK perspective.
There could be a service side issue that is only affecting point operations (CreateItem call) and not metadata operations (CreateDatabase), but we cannot answer that here, this is not a Cosmos DB general support forum, we can only act on SDK bugs or issues.
Technically speaking, the CreateDatabase call is an HTTP call that goes to the Gateway, while the CreateItem is a TCP call that goes to the backend replica address (V3 SDK has Direct mode as default). If the Gateway calls are working and the TCP calls are failing, it could indicate an issue on the service and a support ticket is the best way.
If you disable Firewall and everything works, and you enable Firewall and it fails, then logically, the issue is with Firewall.
In your screenshot, I see you also have VPN enabled, another potential aspect could be the VPN, but again, not an SDK issue.
Portal does not work the same way as the SDK (that is why it has a dedicated checkbox, to whitelist the IPs used by Portal). I am not familiar with Azure Storage Explorer, but it might be just using HTTP requests, not TCP requests, which would map again to the behavior of why the CreateDatabase calls work but the TCP ones fail. Since you have a VPN configured, maybe the VPN is correctly working for HTTP requests but not for TCP requests.