Azure Database for PostgreSQL flexible server Private access, how to connect from my local computer?

Question

I have an Azure Database for PostgreSQL flexible server up and running with the connectivity method 'Private access' This server is located in the Virtual Network 'my_net'.

I also have a Virtual Network Gateway configured with Point-to-Site configuration. I am able to connect to it from my computer using the Azure VPN Client. This Virtual Network Gateway is also in the Virtual Network 'my_net'.

The problem is that I cannot connect to my PostgreSQL Server instance from my computer using the VPN, even though the PostgreSQL server and the Virtual Network Gateway are in the same virtual network. Is there a missing configuration required to make it possible?

Answer 1

@Giancarlo

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to connect to Azure Database for PostgreSQL using P2S clients.

You are following the Connect Azure Database for PostgreSQL Flexible Server with the private access connectivity method.

As suspected, this is a DNS issue.

From a VM in Azure (DNS is successful)

nslookup <resource-name>.postgres.database.azure.com
Server:         127.0.0.53
Address:        127.0.0.53#53
Non-authoritative answer:
<resource-name>.postgres.database.azure.com    canonical name = <resource-name>.private.postgres.database.azure.com.
Name:   <resource-name>.private.postgres.database.azure.com
Address: 10.225.0.4

From a P2S Remote machine,

nslookup <resource-name>.postgres.database.azure.com
Server:         192.168.0.1
Address:        192.168.0.1#53
** server can't find <resource-name>.postgres.database.azure.com: NXDOMAIN

Now, you have two ways to workaround this,

Method 1

This is a simple method, not recommended for scale.

Use this for testing, and if this succeeded, you can consider migrating your design to method 2.

• Update the remote P2S client server's host file configuration.
• So that it resolves "<resource-name>.postgres.database.azure.com" to 10.225.0.4
• This is useful in case you have a very few remote machines

Method 2

This will require you to have a custom DNS server deployed in Azure.

Refer: Virtual network and on-premises workloads using a DNS forwarder

Now, to forward the requests to "*.postgres.database.azure.com" to the custom DNS server hosted in Azure,

• In the P2S VPN Client configuration file, add the DNS suffixes

<dnssuffixes>
          <dnssuffix>.postgres.database.azure.com</dnssuffix>
    </dnssuffixes>

• And custom DNS server

	<dnsservers>
        <dnsserver><IP Address of your custom DNS server></dnsserver>
	</dnsservers>

• How to edit the above two are documented here : Edit VPN Configuration optional settings
• With this,
  • Whenever you make a request to *.postgres.database.azure.com, the DNS queries will go through the VPN Tunnel
  • To the DNS server which you specify
  • This DNS server will further forward the requests to Azure WireServer IP :168.63.129.16 which will successfully resolve your DNS query.
  • You may wonder if we can directly send the DNS queries to 168.63.129.16 , but this is not supported. 168.63.129.16 only accepts traffic that originates from an Azure VM (for security reasons) and this is why, we require a custom DNS server hosted in Azure.
• NOTE : The Azure VPN Client is only supported for OpenVPN® protocol connections.

The third method which you suggested,

• Where you use a JumpHost in Azure and make the connection from there is also a neat work around.
• If your architecture/requirement supports that configuration, you can go for it

Kindly let us know if this helps or you need further assistance on this issue.

I shall be glad to assist you as always :)

Thanks,

Kapil

---

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.