azure-cli: `az network bastion tunnel` crashes with "Unexpected internal error"

Describe the bug

I am attempting to tunnel to Azure Cosmos MongoDB with bastion. I believe I have the subnet and NSG setup correctly and have added cosmos to the bastion subnet correctly, but when I connect to the tunnel the process crashes with an “Unexpected internal error” and the tunnel fails.

Command Name az network bastion tunnel

Errors:

Exception in thread Thread-1 (_start_tunnel):
Traceback (most recent call last):
  File "/usr/local/Cellar/python@3.10/3.10.6_1/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
    self.run()
  File "/usr/local/Cellar/python@3.10/3.10.6_1/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 953, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/Cellar/azure-cli/2.39.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/custom.py", line 8601, in _start_tunnel
    tunnel_server.start_server()
  File "/usr/local/Cellar/azure-cli/2.39.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 184, in start_server
    self._listen()
  File "/usr/local/Cellar/azure-cli/2.39.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 117, in _listen
    auth_token = self._get_auth_token()
  File "/usr/local/Cellar/azure-cli/2.39.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 104, in _get_auth_token
    raise exp
msrestazure.azure_exceptions.CloudError: Unexpected internal error

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Create Azure CosmosDB instance
• Create Bastion, Subnet, NSG, etc.
• Add Cosmos to the bastion subnet
• Open a tunnel to the cosmos db resource
• Get the connection string from the cosmosdb resource, change the hostname to localhost, connect using Mongo Compass (or any other desktop client).
• az network bastion tunnel --name {} --resource-group {} --target-resource-id {} --resource-port {} --port {}

COSMOS_ID=$(az cosmosdb list --resource-group $RES_NAME | jq -r '.[] | .id')
az network bastion tunnel \
  --name "$RES_NAME" \
  --resource-group "$RES_NAME" \
  --target-resource-id "$COSMOS_ID" \
  --resource-port 10255 \
  --port 10255

Expected Behavior

I expect the tunnel to succeed, or a clear error message is printed out explaining why it didn’t succeed. Optionally, if CosmosDB is not a supported target then I would expect the tunnel command to check the --target-resource-id resource type and give a useful error message and not open the tunnel port at all.

Environment Summary

macOS-10.15.7-x86_64-i386-64bit, Darwin 19.6.0
Python 3.10.6
Installer: HOMEBREW

azure-cli 2.39.0

Extensions:
account 0.2.3
blueprint 0.3.1

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

My company blocks all outbound network traffic that isn’t port 443, so I need to tunnel to connect my local machine to the database for debugging and testing. I’m trying to utilize bastion for this purpose but its crashing and not giving appropriate feedback about whats going wrong.