Permission Denied Error (403) When Connecting to Azure OpenAI and Cosmos DB from Azure Synapse Analytics

Question

Permission Denied Error (403) When Connecting to Azure OpenAI and Cosmos DB from Azure Synapse Analytics

Sooriya E 10

Hi Team,
When attempting to connect to Azure OpenAI and Azure Cosmos DB from an Azure Synapse Analytics notebook, a Permission Denied error (code 403) is encountered due to firewall rules or virtual network settings. Both Azure OpenAI and Cosmos DB accounts are configured to allow all networks, not restricted to selected networks, and there are no virtual network or firewall rules applied. Assistance is requested to resolve this issue.

Error received:

PermissionDeniedError: Error code: 403 - {'error': {'code': '403', 'message': 'Access denied due to Virtual Network/Firewall rules.'}}

Harish Peddapally 0 Reputation points Microsoft External Staff Moderator

2025-08-06T06:58:23.89+00:00

Hi Sooriya E ,

Thanks for posting your query on QnA! Let me try to help you with my observations here.

I got know that You're encountering a known issue that even when Azure OpenAI and Cosmos DB are set to "Allow all networks," Azure Synapse Analytics notebooks still receive a “PermissionDeniedError (403): Access denied due to Virtual Network/Firewall rules”. This typically happens because Synapse Spark pools don’t operate over the public endpoint—instead, they require private connections.

To overcome this, you may need to follow these steps, or you need to work on the below configuration:

1. Check User Permissions:

Ensure you have the necessary permissions on your Azure Synapse workspace. You should have at least Owner or Contributor permissions. You can verify this by going to the Azure portal, navigating to your Synapse workspace > Access control (IAM) > View my access.

2. Synapse Requires a Managed VNet: As Synapse Requires a Managed VNet, Synapse’s Apache Spark pools must be deployed within a Managed Virtual Network to use private endpoints. Without it, outbound requests from Synapse still try the public path and get blocked—even if Cosmos DB or Azure OpenAI allow all networks Unfortunately, Managed VNet can only be enabled when creating a Synapse workspace, not added later.

Reference link: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-vnet

3. Configure Private Endpoints and Approvals: For Cosmos DB: create managed private endpoints in Synapse for the SQL and/or Analytical stores.

Then go to the Cosmos DB → Networking → Private Access and approve the endpoint. Only after approval will Synapse be able to connect successfully.

Configure Azure Private Link for Azure Cosmos DB Link: : https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints

Securing Azure OpenAI inside a virtual network with private endpoints Link:

https://learn.microsoft.com/en-us/azure/ai-foundry/openai/how-to/network

4. DNS / Endpoint Path Considerations:

Azure OpenAI and Cosmos DB may appear as “allow all” but Synapse still routes differently.

Make sure DNS resolution points to the private endpoint (private DNS zone) if using private endpoint connectivity.

For private endpoints, DNS resolution must resolve to private IPs, not the public endpoint. Use Private DNS Zones linked to the Synapse-managed VNet to ensure correct name resolution

5. Verify Identity & RBAC Permissions: Ensure the Synapse workspace's managed identity or service principal has proper access (Contributor or specific role) on both Cosmos DB and Azure OpenAI accounts.

Ensure proper Synapse RBAC roles (e.g. Synapse Contributor or Compute Operator) to run notebooks and access linked services. Would you be open to sharing an update or letting me know if further clarification or assistance would be helpful?

Thank you again for your time. I’m happy to continue supporting you—your experience and insights can also benefit others in the community.

Please do not forget to "Upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks,

Harish.

2 answers

Your answer

Answer 1

Sooriya E 10

Hi Harish,

Good Afternoon. I have owner level permission in the resource group level. Yesterday I tried with selecting all networks in Azure OpenAI and got the same issue. So I changed it to selected networks and added my public IP and tried still got the same issue. So I followed this below link:
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/gateway-ip-addresses

and ran again the notebook then it got success and got the expected output I will attach that screenshot for your reference. So my concern is in between it worked but again when I tried it is not working. Would need your assistance on this also one more question in selected is there any limit for adding the IP address maybe that could cause any issue?
User's image

Thanks,
Sooriya E

Harish Peddapally 0 Reputation points Microsoft External Staff Moderator

2025-08-11T03:39:31.74+00:00

Hi Sooriya E ,

Following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.

Thanks,

Harish.

Answer 2

Hi Sooriya E ,

Thank you for the update and for providing those valuable details. It's very helpful to know what you've tried and what you've observed.

Let me address your findings and your new questions:

1. Why did adding the Synapse gateway IP addresses work temporarily?

The Azure Synapse gateway IP addresses are used for certain control plane and management communications. When you added these to your firewall rules, you may have temporarily opened a path that allowed a specific part of the request to succeed. However, this is not a reliable long-term solution for notebook execution.

The main reason for the inconsistency is that the "Azure Synapse Spark pool's egress traffic does not originate from these fixed gateway IPs". The traffic from the Spark pool, which is running your notebook code, originates from a pool of dynamic IP addresses within the Azure data center, and these are not guaranteed to be consistent. This is why the connection worked once and then failed—the next time the notebook ran, its outbound traffic likely came from a different, unwhitelisted IP address.

2. Is there a limit to adding IP addresses?

Yes, there can be a practical limit on the number of IP addresses you can add to a firewall rule for a service like Azure Cosmos DB or Azure OpenAI. The limit varies by service.

3. The Recommended Solution:

The temporary success you saw with the gateway IPs reinforces the original recommendation. The most robust, secure, and permanent solution for connecting an Azure Synapse notebook to other Azure services is to use a "Managed Virtual Network and Managed Private Endpoints."

This architecture is specifically designed to handle this exact scenario. It ensures that all communication between your Synapse Spark pool and resources like Azure OpenAI and Cosmos DB happens over a secure, private network link, bypassing the public internet and any IP-based firewall rules.

Next Steps what you can is:

as far as i understand your Synapse workspace was not created with a Managed VNet, the only way to implement this solution is to create a new Synapse workspace and ensure the Managed Virtual Network option is enabled during the creation process. Once the new workspace is created, you can then set up the Managed Private Endpoints to your Azure OpenAI and Cosmos DB accounts.

This will provide a stable and secure connection that will not be affected by dynamic public IPs, resolving the inconsistency you are experiencing.

Thank you again for your time. I’m happy to continue supporting you—your experience and insights can also benefit others in the community.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Thanks,

Harish.

Share via

Permission Denied Error (403) When Connecting to Azure OpenAI and Cosmos DB from Azure Synapse Analytics

2 answers

Your answer