B1ms Server Stuck: FATAL pg_hba.conf rejects connection despite active Firewall Rules

Question

Issue: Since yesterday Azure PostgreSQL Flexible Server (B1ms tier) is rejecting all connections with FATAL: pg_hba.conf rejects connection, despite Firewall rules being correctly configured in the Portal and CLI.

Symptoms:

Server: mara (Switzerland North)

Status: "Ready" in Portal, but "Public access: Not configured" in Overview pane (Desync).

Troubleshooting done:

Added Client IP and "0.0.0.0-255.255.255.255" via Portal.

  Verified rules exist via `az postgres flexible-server firewall-rule list`.
  
     Restarted server multiple times.
     
        Scaled compute up and down to force redeploy.
        

Proof of Platform Error: Running psql from Azure Cloud Shell also fails: psql: error: connection to server ... failed: FATAL: pg_hba.conf rejects connection for host "10.x.x.x"

The Control Plane has failed to sync pg_hba.conf to the Data Plane. Please assist as I cannot open a support ticket.

Answer 1

Hello Ludovic Manjot,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your B1ms Server Stuck with FATAL pg_hba.conf rejects connection despite active Firewall Rules.

Run in this exact order; stop once connectivity is restored.

1. Portal > Server > Networking Set Public network access = Disabled > Save > Ready; Set Enabled → Add current client IP (only) > Save > Ready. For private access deployments, temporarily enable public access with a narrow rule just to validate platform state, then revert.- https://learn.microsoft.com/en-us/azure/postgresql/security/security-firewall-rules and https://learn.microsoft.com/en-us/azure/postgresql/network/how-to-networking-servers-deployed-public-access-add-firewall-rules
2. Ensure client uses SSL/TLS (sslmode=require, etc.). Retest from Azure Cloud Shell and your workstation. If your tooling shows “SSL off”, enable SSL.
3. Restart the Flexible Server (standard restart). Retest. - https://stackoverflow.com/questions/62301317/azure-database-for-postgresql-server-no-pg-hba-conf-entry-for-host
4. If HA is enabled > Forced failover

   Portal > High availability > Forced failover, or
   
   CLI: `az postgres flexible-server restart --resource-group <rg> --name <server> --failover Forced`  - [https://learn.microsoft.com/en-us/azure/postgresql/high-availability/how-to-configure-high-availability]()
   

5. You can open support (Critical) with desync evidence (include Cloud Shell failure). - https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request
6. If downtime is unacceptable, PITR to new server, configure Networking, validate, then cut over your app. - https://stormatics.tech/blogs/restoring-postgresql-database-using-azure-flexible-server

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer 2

Hi Ludovic Manjot,

Could you please try testing the SSL parameter "required secure transport". Please confirm once you have tested.