CosmosDB Account resource with public access disabled

Hello,

I have a question regarding azurerm_cosmosdb_account resource, in particular public_network_access_enabled parameter.

What I am doing is I am adding some virtual_network_rule and ip_range_filter. Virtual network is my AKS network, while I am adding IP filter to include Azure Portal IPs.

What happens is that Azure Portal connectivity only works if public_network_access_enabled parameter is set to true. What is the reason behind it. Does it mean that if this parameter is set to false, no public access is allowed, even if IPs are specified in IP filter?

Example of my configuration:

data "azurerm_resource_group" "main" {
  name = var.resource_group_name
}

locals {
  azure_portal_ip_range = [
    "104.42.195.92",
    "40.76.54.131",
    "52.176.6.30",
    "52.169.50.45",
    "52.187.184.26"
  ]
}

resource "azurerm_cosmosdb_account" "cosmosdb" {
  name                 = "${var.deployment_name}-${var.suffix}"
  location             = data.azurerm_resource_group.main.location
  resource_group_name  = data.azurerm_resource_group.main.name
  offer_type           = "Standard"
  kind                 = "MongoDB"
  mongo_server_version = "4.0"

  ip_range_filter                   = join(",", local.azure_portal_ip_range)
  is_virtual_network_filter_enabled = true

  backup {
    type                = "Periodic"
    interval_in_minutes = 1440
    retention_in_hours  = 48
  }

  capabilities {
    name = "EnableMongo"
  }

  consistency_policy {
    consistency_level = "Session"
  }

  geo_location {
    location          = data.azurerm_resource_group.main.location
    failover_priority = 0
  }

  identity {
    type = "SystemAssigned"
  }

  virtual_network_rule {
    id = var.aks_subnet_id
  }

  tags = var.tags
}

Thank you and best regards,
Bostjan