# Cosmos DB Connectivity Diagnostic - JSON Schema v1.0 ## Overview The diagnostic script outputs a structured JSON report containing network connectivity, private network configuration, and RBAC assessment data. This schema is stable and versioned to support parsing and triage automation. ## Root Object ```json { "version": "1.0.0", // Schema version (semantic versioning) "timestamp": "2026-05-13T14:30:45.123Z", // ISO 8601 UTC timestamp "target": {...}, // Account and subscription context "execution": {...}, // Script execution environment "diagnostics": {...}, // All diagnostic results "classification": {...} // Automated classification and recommendations } ``` --- ## Target Object Account and subscription identifiers. ```json { "target": { "endpointUrl": "https://my-cosmos-account.documents.azure.com", "hostname": "my-cosmos-account.documents.azure.com", "subscriptionId": "12345678-1234-1234-1234-123456789012", // May be "REDACTED" if --Redact flag used "resourceGroup": "my-rg", // May be "REDACTED" "accountName": "my-cosmos-account" // May be "REDACTED" } } ``` --- ## Execution Object Environment where script ran. ```json { "execution": { "hostname": "DESKTOP-ABC123", // Machine name "platform": "Windows 10", // OS name and version "powershellVersion": "7.3.0" // PowerShell version } } ``` --- ## Diagnostics Object All diagnostic results grouped by category. ```json { "diagnostics": { "dns": { ... }, // DNS resolution results "tcp": { ... }, // TCP 443 connectivity results "https": { ... }, // HTTPS probe results "privateNetwork": { ... }, // Private endpoint indicators "azureNetworkConfig": { ... }, // ARM-sourced network configuration "rbac": { ... }, // RBAC assessment "azureCli": { ... } // Azure CLI context } } ``` ### DNS Results ```json { "dns": { "hostname": "my-cosmos-account.documents.azure.com", "succeeded": true, // true = hostname resolved "addresses": [ "52.180.123.45", // Resolved IPv4 addresses "2607:f8b0:4005:806::200e" // IPv6 if available ], "error": null, // Error message if resolution failed "dnsServers": [ "8.8.8.8", // Detected DNS servers "8.8.4.4" ], "latencyMs": 145 // DNS query latency in milliseconds } } ``` **Classification logic:** - `succeeded: false` → DNS failure, likely network or DNS configuration issue - `succeeded: true` with `addresses` containing private IP (10.x, 172.16-31.x, 192.168.x) → Private endpoint - `succeeded: true` with `addresses` containing public IP → Public endpoint ### TCP Connectivity Results ```json { "tcp": { "hostname": "my-cosmos-account.documents.azure.com", "port": 443, "succeeded": true, // true = TCP 443 connection established "error": null, // Error message if connection failed (e.g., "Connection timeout after 5000ms") "latencyMs": 87, // Connection latency "sourceIp": "192.168.1.100" // Local IP used for connection attempt } } ``` **Classification logic:** - `succeeded: false` with DNS resolved → Network path blocked - `error` contains "timeout" → VPN/firewall/NVA may be dropping packets - `error` contains "refused" → Target may be rejecting connections ### HTTPS Probe Results ```json { "https": { "url": "https://my-cosmos-account.documents.azure.com", "succeeded": true, // true = HTTP 200-299 response "statusCode": 401, // HTTP status code (401 expected without auth) "error": null, // TLS/connection errors "latencyMs": 234 // Full request round-trip latency } } ``` **Classification logic:** - `succeeded: true` (any 2xx/4xx status) → Can reach endpoint - `statusCode: 401` → Expected (no credentials), network is healthy - `error` contains "certificate" or "TLS" → Certificate validation issue - `error` and `succeeded: false` → Network or firewall blocking TLS ### Private Network Indicators ```json { "privateNetwork": { "isPrivateRange": true, // true if any resolved IP is RFC 1918 "indicators": [ "Resolved to RFC 1918 private IP range (10.123.171.30)", "Matches expected private endpoint IP (10.123.171.30)" ], "matchesExpectedPrivateEndpoint": true, // true if resolved IP matches PrivateEndpointIP parameter "vpnRouteWarning": null // Warning if VPN subnet routing appears blocked } } ``` ### Azure Network Configuration ```json { "azureNetworkConfig": { "checked": true, // true if successfully queried via Azure CLI "publicNetworkAccessRestricted": true, // true if public network access is disabled "privateEndpoints": [ { "id": "/subscriptions/.../privateEndpointConnections/my-pe-connection", "state": "Approved" // Status: Approved, Pending, Rejected } ], "vnetRules": [ ], // Virtual network rules (firewall) "error": null // Error if Azure CLI query failed } } ``` ### RBAC Assessment ```json { "rbac": { "checked": true, // true if RBAC checked successfully "canReadAccount": true, // true if caller can read account properties "canManageAccount": false, // true if caller has Contributor/Owner "canExecuteDataPlaneOps": true, // true if caller likely has data-plane roles "roleAssignments": [ { "roleDefinitionName": "Cosmos DB Operator", "principalName": "user@example.com" } ], "classification": "partial", // Enum: "sufficient", "partial", "insufficient", "unknown" "error": null // Error message if check failed } } ``` ### Azure CLI Context ```json { "azureCli": { "installed": true, // true if Azure CLI is installed "authenticated": true, // true if 'az login' was successful "currentUser": "user@example.com", // May be "REDACTED-USER-NAME" "currentTenant": "12345678-1234-1234-1234-123456789012", // May be "REDACTED-TENANT-ID" "currentSubscription": "abcdef01-2345-6789-abcd-ef0123456789", "error": null // Error if CLI not installed or not authenticated } } ``` --- ## Classification Object Automated classification with recommendations. ```json { "classification": { "status": "failure", // Enum: "success", "failure", "warning", "unknown" "code": "tcp_connectivity_blocked", // Machine-readable classification code "summary": "DNS resolution succeeded but TCP 443 connection failed. Network path is blocked.", "rootCause": "Private endpoint configured but network path blocked (VPN routing, firewall/NVA, NSG, UDR, or peering issue)", "recommendedActions": [ "1. Verify VPN connectivity and that your client subnet can route to the private endpoint subnet", "2. Ask your network team to verify routing between DESKTOP-ABC123 and private endpoint 10.123.171.30", "3. Check Azure network security groups (NSGs) rules for port 443 inbound", "4. Verify Azure Virtual Network peering and User Defined Routes (UDRs)", "5. Check if corporate firewall/NVA is blocking the connection", "6. Manually run: Test-NetConnection -ComputerName my-cosmos-account.documents.azure.com -Port 443" ] } } ``` ### Classification Codes Reference | Code | Status | Meaning | Likely Cause | |------|--------|---------|--------------| | `dns_resolution_failed` | failure | Hostname cannot resolve | DNS misconfiguration, proxy redirect, network unreachable | | `tcp_connectivity_blocked` | failure | DNS works, TCP 443 fails | Firewall, VPN routing, NVA, NSG, private path blocked | | `private_endpoint_network_path_blocked` | failure | Private endpoint detected, TCP fails | VPN → private endpoint routing broken | | `network_connectivity_healthy` | success | DNS and TCP both work | Network is healthy; check auth/RBAC if operations fail | | `rbac_insufficient` | warning | Network OK, but RBAC limited | User lacks data-plane roles | | `private_endpoint_mismatch` | warning | Resolved to different IP than expected | Private endpoint routing may be asymmetric or misconfigured | | `azure_config_check_skipped` | warning | Azure CLI not authenticated | Can't validate ARM-level network configuration | --- ## Redacted Output When script is invoked with `-Redact` flag: ```json { "target": { "endpointUrl": "REDACTED", "hostname": "my-cosmos-account.documents.azure.com", // Hostname kept (needed for triage) "subscriptionId": "REDACTED-SUBSCRIPTION-ID", "resourceGroup": "REDACTED", "accountName": "REDACTED" }, "diagnostics": { "azureCli": { "currentUser": "REDACTED-USER-NAME", "currentTenant": "REDACTED-TENANT-ID" }, "rbac": { "roleAssignments": [ { "roleDefinitionName": "Cosmos DB Operator", "principalName": "REDACTED-PRINCIPAL-NAME" } ] } } } ``` --- ## Sample Outputs ### Scenario 1: Network Healthy (Public Endpoint) ```json { "version": "1.0.0", "timestamp": "2026-05-13T14:30:45Z", "target": { "endpointUrl": "https://my-cosmos.documents.azure.com", "hostname": "my-cosmos.documents.azure.com", "subscriptionId": "12345678-1234-1234-1234-123456789012", "resourceGroup": "my-rg", "accountName": "my-cosmos" }, "diagnostics": { "dns": { "hostname": "my-cosmos.documents.azure.com", "succeeded": true, "addresses": ["52.180.123.45"], "error": null, "latencyMs": 12 }, "tcp": { "hostname": "my-cosmos.documents.azure.com", "port": 443, "succeeded": true, "error": null, "latencyMs": 45, "sourceIp": "192.168.1.100" }, "https": { "url": "https://my-cosmos.documents.azure.com", "succeeded": true, "statusCode": 401, "error": null, "latencyMs": 78 }, "privateNetwork": { "isPrivateRange": false, "indicators": [], "matchesExpectedPrivateEndpoint": false, "vpnRouteWarning": null } }, "classification": { "status": "success", "code": "network_connectivity_healthy", "summary": "Network connectivity is healthy. DNS resolves and TCP 443 is reachable.", "rootCause": null, "recommendedActions": [ "✓ Local network connectivity is working", "If Cosmos DB operations still fail, check:", " - RBAC/authentication permissions", " - Account firewall IP rules (if enabled)", " - Data plane token expiry", " - Application-level issues (connection strings, SDK versions)" ] } } ``` ### Scenario 2: Private Endpoint Path Blocked ```json { "version": "1.0.0", "timestamp": "2026-05-13T14:35:22Z", "target": { "endpointUrl": "https://my-cosmos-pe.documents.azure.com", "hostname": "my-cosmos-pe.documents.azure.com", "subscriptionId": "12345678-1234-1234-1234-123456789012", "resourceGroup": "my-rg", "accountName": "my-cosmos-pe" }, "diagnostics": { "dns": { "hostname": "my-cosmos-pe.documents.azure.com", "succeeded": true, "addresses": ["10.123.171.30"], "error": null, "latencyMs": 8 }, "tcp": { "hostname": "my-cosmos-pe.documents.azure.com", "port": 443, "succeeded": false, "error": "Connection timeout after 5000ms", "latencyMs": 0, "sourceIp": null }, "privateNetwork": { "isPrivateRange": true, "indicators": [ "Resolved to RFC 1918 private IP range (10.123.171.30)", "Matches expected private endpoint IP (10.123.171.30)" ], "matchesExpectedPrivateEndpoint": true, "vpnRouteWarning": "Private endpoint IP detected but TCP 443 failed. Likely VPN → PE route blocked." } }, "classification": { "status": "failure", "code": "private_endpoint_network_path_blocked", "summary": "DNS resolution succeeded but TCP 443 connection failed to private endpoint. Network path is blocked.", "rootCause": "Private endpoint network path blocked (VPN routing, firewall/NVA, NSG, UDR, or peering issue)", "recommendedActions": [ "1. Verify VPN connectivity and that your client subnet can route to the private endpoint subnet", "2. Ask your network team to verify routing from 10.249.14.218 to private endpoint 10.123.171.30", "3. Check Azure network security groups (NSGs) rules for port 443 inbound on private endpoint subnet", "4. Verify Azure Virtual Network peering and User Defined Routes (UDRs)", "5. Check if corporate firewall/NVA is blocking the connection", "6. Manually run: Test-NetConnection -ComputerName my-cosmos-pe.documents.azure.com -Port 443" ] } } ``` ### Scenario 3: DNS Resolution Failed ```json { "version": "1.0.0", "timestamp": "2026-05-13T14:40:10Z", "target": { "endpointUrl": "https://my-cosmos-invalid.documents.azure.com", "hostname": "my-cosmos-invalid.documents.azure.com" }, "diagnostics": { "dns": { "hostname": "my-cosmos-invalid.documents.azure.com", "succeeded": false, "addresses": [], "error": "No such host is known", "dnsServers": ["8.8.8.8"], "latencyMs": 2342 }, "tcp": { "hostname": "my-cosmos-invalid.documents.azure.com", "port": 443, "succeeded": false, "error": "No such host is known", "latencyMs": 0, "sourceIp": null } }, "classification": { "status": "failure", "code": "dns_resolution_failed", "summary": "DNS resolution failed. The Cosmos DB endpoint hostname cannot be resolved.", "rootCause": "DNS configuration, VPN/proxy DNS redirect, or network connectivity issue", "recommendedActions": [ "1. Check if you are connected to corporate VPN or proxy that intercepts DNS", "2. Manually run: nslookup my-cosmos-invalid.documents.azure.com", "3. If nslookup fails, check with your network team or ISP", "4. Try pinging the endpoint or using nslookup with alternate DNS: nslookup my-cosmos-invalid.documents.azure.com 8.8.8.8" ] } } ``` --- ## Parsing Guidelines Implementers parsing this JSON should: 1. **Always check version**: Fields may differ in future versions. Parse defensively. 2. **Use classification.code not status**: Status is user-facing; code is machine-readable for routing and automation. 3. **Check diagnostics.azureCli.authenticated**: If false, Azure configuration checks are unreliable. 4. **Prioritize classification.recommendedActions**: Contains context-specific guidance. 5. **Redacted fields**: May be null or "REDACTED" strings. Do not assume structure. 6. **Latency fields**: Milliseconds, may be 0 if unavailable. 7. **Handle missing fields**: Especially in older versions or on non-Windows platforms. --- ## Version History ### v1.0.0 (2026-05-13) - Initial schema - Includes DNS, TCP, HTTPS, private network, Azure config, and RBAC checks - Classification codes stable - Redaction support