Azure Database for PostgreSQL flexible server: Unable to connect Pgbouncer port using private endpoint - 6432

Question

Azure Database for PostgreSQL flexible server: Unable to connect Pgbouncer port using private endpoint - 6432

AlexandrChokhar-8387 0

Hi
wierd case
fresh Azure Database for PostgreSQL flexible server instance with Public access and Private endpoint
VNET with no NSG,FIREWALL or any other limitations

i CAN connect 5432 with no issues using both: Public and Private Point**

**but for 6432 i can only connect Public and not Private endpoint

Done:
-restart instance
-turn off\on built-in pgbouncer

Any ideas??
Thank you!

Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-04-28T16:51:48.67+00:00

Hi @Alexandr Chokhar

I kindly request you to please share the details requested in the private message for further investigation.
AlexandrChokhar-8387 0 Reputation points

2026-04-29T09:36:46.9833333+00:00

Did not help.

i tried to create a new instance - same situation
AlexandrChokhar-8387 0 Reputation points

2026-04-30T10:20:02.11+00:00

@Manoj Kumar Boyini done
Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-04-30T19:36:09.03+00:00
Hi @AlexandrChokhar-8387

We recommend enabling the metrics.pgbouncer_diagnostics server parameter. This will provide visibility into PgBouncer connection pool health (active/waiting clients, server connections) and will allow both you and our team to diagnose PgBouncer-specific issues more effectively if they recur.

Enable PG/Pgbouncer logs with AzureDiagnostics, that will add an in depth details about the connections.

Could you also share the exact error message your application/client received when attempting to connect on port 6432? This may help us narrow the diagnosis further.
Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-05-01T21:02:11.2633333+00:00

Hi @AlexandrChokhar-8387

We haven't received response. Could you please share the error message in private message when attempting to connect.
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-06T23:10:44.1866667+00:00

Hi @Alexandr Chokhar,

I hope you are doing well. We request you to share the error message in private message when attempting to connect.
AlexandrChokhar-8387 0 Reputation points

2026-05-07T06:02:30.8766667+00:00

@Santhosh Kumar Machukuri

5432 is available in general

WARNING: TCP connect to (10.131.150.4 : 6432) failed
WARNING: Ping to 10.131.150.4 failed with status: TimedOut
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-07T17:19:32.1566667+00:00
Hi @Alexandr Chokhar,

Thanks for sharing error messages. After the analysis of the issue, we would like to inform you that

You can only use port 5432 over the Private endpoint for Azure Database for PostgreSQL flexible server.

Port 6432 is not accessible via the Private endpoint because Azure’s Private Link only exposes the default PostgreSQL port, regardless of the absence of NSGs or firewalls.

This behavior is by design to ensure secure and controlled access to managed database services.

For any requirement to use alternative ports over Private endpoints, you would need to consult Azure service documentation or consider custom solutions, but by default, only the standard port is supported. Feel free to let me know if you have any further queries.
AlexandrChokhar-8387 0 Reputation points

2026-05-15T09:04:21.4866667+00:00

@Santhosh Kumar Machukuri hi,
thank you for the answer.
i tried to find any article about this limitation, but did not success.
Can you please provide exact article?
Thank you!
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-15T17:46:41.36+00:00

Hi AlexandrChokhar-8387,

Azure Database for PostgreSQL Flexible Server private endpoints provide connectivity to the managed database service endpoint over Azure Private Link. This endpoint is designed to support the native PostgreSQL connection on the default port (5432).

Custom or additional ports, such as 6432 used by PgBouncer, are not exposed through the private endpoint, as Private Link maps directly to the service instance rather than supporting arbitrary port access. This is expected behavior by design.

Reference documents:
https://learn.microsoft.com/en-us/azure/postgresql/configure-maintain/quickstart-create-server
https://learn.microsoft.com/en-us/azure/postgresql/network/concepts-networking-private-link
https://dev.azure.com/Supportability/d2e487c0-58ac-49f2-aeab-a006d6f2500d/_wiki/wikis/2bf16b3e-48c9-4e36-8c21-caeeb360d738/1885648
https://dev.azure.com/Supportability/d2e487c0-58ac-49f2-aeab-a006d6f2500d/_wiki/wikis/2bf16b3e-48c9-4e36-8c21-caeeb360d738/1885640

2 answers

Your answer

Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-04-28T16:51:48.67+00:00

Hi @Alexandr Chokhar

I kindly request you to please share the details requested in the private message for further investigation.
AlexandrChokhar-8387 0 Reputation points

2026-04-29T09:36:46.9833333+00:00

Did not help.

i tried to create a new instance - same situation
AlexandrChokhar-8387 0 Reputation points

2026-04-30T10:20:02.11+00:00

@Manoj Kumar Boyini done
Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-04-30T19:36:09.03+00:00

Hi @AlexandrChokhar-8387

We recommend enabling the metrics.pgbouncer_diagnostics server parameter. This will provide visibility into PgBouncer connection pool health (active/waiting clients, server connections) and will allow both you and our team to diagnose PgBouncer-specific issues more effectively if they recur.

Enable PG/Pgbouncer logs with AzureDiagnostics, that will add an in depth details about the connections.

Could you also share the exact error message your application/client received when attempting to connect on port 6432? This may help us narrow the diagnosis further.
Manoj Kumar Boyini 16,055 Reputation points Microsoft External Staff Moderator

2026-05-01T21:02:11.2633333+00:00

Hi @AlexandrChokhar-8387

We haven't received response. Could you please share the error message in private message when attempting to connect.
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-06T23:10:44.1866667+00:00

Hi @Alexandr Chokhar,

I hope you are doing well. We request you to share the error message in private message when attempting to connect.
AlexandrChokhar-8387 0 Reputation points

2026-05-07T06:02:30.8766667+00:00

@Santhosh Kumar Machukuri

5432 is available in general

WARNING: TCP connect to (10.131.150.4 : 6432) failed
WARNING: Ping to 10.131.150.4 failed with status: TimedOut
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-07T17:19:32.1566667+00:00

Hi @Alexandr Chokhar,

Thanks for sharing error messages. After the analysis of the issue, we would like to inform you that

You can only use port 5432 over the Private endpoint for Azure Database for PostgreSQL flexible server.

Port 6432 is not accessible via the Private endpoint because Azure’s Private Link only exposes the default PostgreSQL port, regardless of the absence of NSGs or firewalls.

This behavior is by design to ensure secure and controlled access to managed database services.

For any requirement to use alternative ports over Private endpoints, you would need to consult Azure service documentation or consider custom solutions, but by default, only the standard port is supported. Feel free to let me know if you have any further queries.
AlexandrChokhar-8387 0 Reputation points

2026-05-15T09:04:21.4866667+00:00

@Santhosh Kumar Machukuri hi,
thank you for the answer.
i tried to find any article about this limitation, but did not success.
Can you please provide exact article?
Thank you!
Santhosh Kumar Machukuri 0 Reputation points Microsoft External Staff Moderator

2026-05-15T17:46:41.36+00:00

Hi AlexandrChokhar-8387,

Azure Database for PostgreSQL Flexible Server private endpoints provide connectivity to the managed database service endpoint over Azure Private Link. This endpoint is designed to support the native PostgreSQL connection on the default port (5432).

Custom or additional ports, such as 6432 used by PgBouncer, are not exposed through the private endpoint, as Private Link maps directly to the service instance rather than supporting arbitrary port access. This is expected behavior by design.

Reference documents:
https://learn.microsoft.com/en-us/azure/postgresql/configure-maintain/quickstart-create-server
https://learn.microsoft.com/en-us/azure/postgresql/network/concepts-networking-private-link
https://dev.azure.com/Supportability/d2e487c0-58ac-49f2-aeab-a006d6f2500d/_wiki/wikis/2bf16b3e-48c9-4e36-8c21-caeeb360d738/1885648
https://dev.azure.com/Supportability/d2e487c0-58ac-49f2-aeab-a006d6f2500d/_wiki/wikis/2bf16b3e-48c9-4e36-8c21-caeeb360d738/1885640

Answer 1

Guillermo Paez 0

Hi!

After "Notification for Scheduled Maintenance to Azure Database for PostgreSQL" on 5/29/2026, 4:42:00 AM (UTC) PGBouncer doesn't connect

https://learn.microsoft.com/en-us/azure/postgresql/release-notes-maintenance/2026-april

I have a PostgreSQL flexible server that stopped working with pgbouncer after the May 29th update. I don't have NSG authentication and I'm on the same virtual network. It worked before the May 29th, but stopped after. Native psql authentication is being used.

Any ideas?

0 comments

Answer 2

PgBouncer on Azure Database for PostgreSQL flexible server listens on port 6432 on the same VM as the database and supports both public and private access. There is no separate firewall or NSG configuration for 6432 versus 5432 at the server level; both ports are exposed through the same networking model (public endpoint and/or private endpoint) when PgBouncer is enabled.

Given that:

5432 works over both public and private endpoint
6432 works over public endpoint but not private endpoint
VNET has no NSG or custom firewall

the most likely causes are:

PgBouncer not fully enabled or misconfigured
- In the Azure portal, open the flexible server → Server parameters.
- Confirm pgbouncer.enabled is set to true and saved.
- After enabling, verify PgBouncer parameters (for example pgbouncer.default_pool_size, pgbouncer.max_client_conn, pgbouncer.pool_mode) are visible; if they are not, PgBouncer is not actually enabled.
- From a VM in the same VNET/subnet as the private endpoint, test:
```
     psql "host=<server-name>.postgres.database.azure.com port=6432 dbname=postgres user=<user> password=<pwd> sslmode=require"
```
  This confirms whether 6432 is reachable over the private endpoint at all.
Client-side or path firewall allowing 5432 but not 6432
- Even if the VNET has no NSG, there can still be:
  - Local OS firewall on the client
  - Corporate firewall / VPN / proxy rules
- Ensure outbound TCP 6432 is allowed from the client to the VNET/private endpoint. The platform guidance explicitly calls out needing outbound 5432 open; the same requirement applies to 6432 when using PgBouncer.
Incorrect hostname or endpoint when switching to 6432
- PgBouncer uses the same host name as the PostgreSQL server; only the port changes to 6432.
- When using a private endpoint, the private DNS name for <server-name>.postgres.database.azure.com must resolve to the private IP. Confirm that the client resolving to the private IP is using that same FQDN when testing port 6432.
PgBouncer-side limits or errors
- If 6432 is reachable but connections are dropped, check PgBouncer logs:
  - Enable Diagnostic Settings for the server and send logs to Log Analytics.
  - Query PGSQLPgBouncer (resource-specific schema) or AzureDiagnostics with Category == "PostgreSQLFlexPGBouncer" to see authentication failures, pool exhaustion, or other errors.
- Optionally, configure pgbouncer.stats_users and connect to the internal pgbouncer database on port 6432 from a VM in the VNET to run SHOW POOLS, SHOW DATABASES, and SHOW STATS to verify PgBouncer is accepting connections and not rejecting them due to limits.
General connectivity validation
- Use a simple TCP test (for example psql as above) from a VM in the same VNET/subnet as the private endpoint to distinguish between:
  - Network-level failure to reach 6432 over the private endpoint
  - Successful TCP connection but PostgreSQL/PgBouncer authentication or configuration issues

If 5432 works via the private endpoint from the same client and 6432 fails even with a direct psql test using the same FQDN and credentials, and PgBouncer is confirmed enabled, the next step is to inspect PgBouncer logs via Azure Monitor as above to identify whether PgBouncer is rejecting or not seeing the connection attempts.

References:

Share via

Azure Database for PostgreSQL flexible server: Unable to connect Pgbouncer port using private endpoint - 6432

2 answers

Your answer