Azure Database for PostgreSQL flexible servers with Point to site VPN

Question

Azure Database for PostgreSQL flexible servers with Point to site VPN

Brijesh Muliya 46

I am having an issue while connecting to "Azure Database for PostgreSQL flexible servers" with point-to-site VPN.

My requirement:

I have multiple Azure services which are not in the virtual network, and if I deploy "Azure Database for PostgreSQL flexible servers" with Vnet integration then there is no option to "Allow other Azure services" or add IP address.

I simply want to restrict access to my database so that only my Azure services and clients with Azure VPN should be able to access the database.

Solution I have tried & Azure support suggested:

with "Public access (allowed IP addresses)" white listed public IP of VPN gateway and address pool range of that VPN - start IP and end IP.

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T04:28:27.68+00:00
@Brijesh Muliya

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

When you say you are having an issue while connecting to "Azure Database for PostgreSQL flexible servers" with point-to-site VPN,

What exactly is the issue?

Did you verify if the issue is actually with connectivity or with DNS resolution failure?

How do you access the Azure Database for PostgreSQL flexible servers? (My main expertise is Azure Networking and have little expertise with flexible servers, so please let me know how this done!)

Using IP Address of individual servers?

Or using a FQDN Name?

From this document : Connect to the PostgreSQL database using psql

I see a FQDN is used to connect to the servers.

In that case, can you edit the host file of the remote P2S VPN client so that "mydemoserver-pg.postgres.database.azure.com" resolved to the IP of the server and see if that works

Cheers,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T10:16:22.65+00:00

@KapilAnanth-MSFT

I am connecting from pgAdmin tool with FQDN only as IP can be changed at any time.

I have multiple Azure services which are not in the virtual network, and if I deploy "Azure Database for PostgreSQL flexible servers" with Vnet integration then there is no option to "Allow other Azure services" or add IP address. so I have deployed my "Azure Database for PostgreSQL flexible servers" in "Public access (allowed IP addresses)". where i have option of "Allow other Azure services" now I want to restrict database to connect only by azure services and from local while connected to VPN.

To allow VPN to database i have allowed public IP of VPN gateway and address pool range to the database. still I am not able to connect to database.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T10:21:22.1466667+00:00
@Brijesh Muliya

I understand.

"To allow VPN to database i have allowed public IP of VPN gateway and address pool range to the database. still I am not able to connect to database."

This will not work.

VPN Gateway IP is still a Public IP and requests will not come from it.

From your P2S remote machine, can you

Connect to the VPN.

Open a CMD as Admin.

Run nslookup <YOUR SERVER NAME>.postgres.database.azure.com

And share the result

Now, from a working VM in Azure,

Open a CMD as Admin.

Run nslookup <YOUR SERVER NAME>.postgres.database.azure.com

And share the result

Cheers,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T11:36:09.2666667+00:00

@KapilAnanth-MSFT can you please open private chat comment.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T11:41:28.27+00:00

@Brijesh Muliya

I am afraid we do not have private chat feature in Q&A Forum.

I would very much appreciate if you can share the screenshots requested here.

You can redact the name of the Database and IP, I just want to check if the resolution works or not.

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T12:14:12.52+00:00

@KapilAnanth-MSFT Hi,

Kindly find details in below image. I dnt have VM so not able to share you the details from VM.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T12:54:25.9633333+00:00
@Brijesh Muliya

Is this configuration working with a VM in Azure to begin with?

First you have to validate this.

Only if the above works, we can extend this to P2S Clients.

Also, from your image,

Did you get an address for the DNS query? And you have redacted it?

If so, was it a Public IP or Private IP?

Or was the "Address" field empty?

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-09T12:58:46.0466667+00:00

Hi @KapilAnanth-MSFT ,

To answer the above question, yes I am getting the correct public IP of the DB with FQDN while connected to VPN or without VPN.

Now, as you suggested, I have created a VM and installed a VPN, and from there also, I am getting the same result.

now then when I enable option "Allow public access from any Azure service within Azure to this server" in that database then with or without VPN i can connect to the database from the VPN but not from the local.

just to inform: I have DNS private resolver enabled for cosmos DB and the IP I got from the inbound rule of the DNS private resolver. I have added to DNS server of the virtual network where my VPN is configured to access internal resources. and i in cosmos DB i got the option to add virtual network and allow azure services option in private network integration where i have created private endpoint and private DNS zone for cosmos DB.
Brijesh Muliya 46 Reputation points

2023-06-09T13:07:47.2366667+00:00

.....
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-09T13:52:17.1+00:00
@Brijesh Muliya

In that case, P2S connections should work.

What is the error message you are seeing when you try to connect from a P2S Client?

Open a Powershell window from the client and run tnc <YOUR SERVER NAME>.postgres.database.azure.com -p 5432 and share the results please
Brijesh Muliya 46 Reputation points

2023-06-09T14:10:05.74+00:00

@KapilAnanth-MSFT

I get the connection timeout expired error from pgAdmin.

and with tnc command i got below result.
pharmaday pharmaday.com 0 Reputation points

2023-06-09T14:12:19.24+00:00

thanks for helpfully information
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-12T04:51:16.1266667+00:00
@Brijesh Muliya

To troubleshoot the exact issue, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft.Com with the below details.

Subject : Attn Kaananth | Azure Database for PostgreSQL flexible servers with Point to site VPN

Thread URL: Link to this thread.

Subscription ID : Subscription ID of the VPN gateway
Brijesh Muliya 46 Reputation points

2023-06-14T10:21:03.05+00:00

@KapilAnanth-MSFT

sorry for the delay, are you available today, so i can just send mail for technical support.?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-14T10:22:40.1033333+00:00

@Brijesh Muliya

Sure, please go ahead.

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-14T10:38:54.99+00:00

@KapilAnanth-MSFT can you please share the email to send to?
Brijesh Muliya 46 Reputation points

2023-06-14T10:40:06.8166667+00:00

@KapilAnanth-MSFT,

just sent to "azcommunity@microsoft.com"
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-06-23T14:24:48.59+00:00

Hello @Brijesh Muliya ,

I checked the support request that was created for this issue and found the below summary:

Issue: Restrict access to Azure Database for PostgreSQL flexible server

Cause: You wanted to restrict access to the SQL server only from your P2S VPN and specific Vnets.

Resolution: Proposed private endpoint and Vnet integration but you mentioned that some of your resources won't be able to connect to the SQL server in such a case.

As a workaround, support proposed a VM to which the P2S VPN clients could connect and from the VM the SQL server could be reached. Access to the VM could be restricted by an NSG.

Could you please let us know if this workaround helped you achieve your requirement?

Regards,

Gita
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-06-30T13:25:18.67+00:00

@Brijesh Muliya , could you please provide an update on this post? Please let us know if the workaround recommended by support team helped you achieve your requirement.

1 answer

Your answer

KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T04:28:27.68+00:00

@Brijesh Muliya

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

When you say you are having an issue while connecting to "Azure Database for PostgreSQL flexible servers" with point-to-site VPN,

What exactly is the issue?

Did you verify if the issue is actually with connectivity or with DNS resolution failure?

How do you access the Azure Database for PostgreSQL flexible servers? (My main expertise is Azure Networking and have little expertise with flexible servers, so please let me know how this done!)

Using IP Address of individual servers?

Or using a FQDN Name?

From this document : Connect to the PostgreSQL database using psql

I see a FQDN is used to connect to the servers.

In that case, can you edit the host file of the remote P2S VPN client so that "mydemoserver-pg.postgres.database.azure.com" resolved to the IP of the server and see if that works

Cheers,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T10:16:22.65+00:00

@KapilAnanth-MSFT

I am connecting from pgAdmin tool with FQDN only as IP can be changed at any time.

I have multiple Azure services which are not in the virtual network, and if I deploy "Azure Database for PostgreSQL flexible servers" with Vnet integration then there is no option to "Allow other Azure services" or add IP address. so I have deployed my "Azure Database for PostgreSQL flexible servers" in "Public access (allowed IP addresses)". where i have option of "Allow other Azure services" now I want to restrict database to connect only by azure services and from local while connected to VPN.

To allow VPN to database i have allowed public IP of VPN gateway and address pool range to the database. still I am not able to connect to database.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T10:21:22.1466667+00:00

@Brijesh Muliya

I understand.

"To allow VPN to database i have allowed public IP of VPN gateway and address pool range to the database. still I am not able to connect to database."

This will not work.

VPN Gateway IP is still a Public IP and requests will not come from it.

From your P2S remote machine, can you

Connect to the VPN.

Open a CMD as Admin.

Run nslookup <YOUR SERVER NAME>.postgres.database.azure.com

And share the result

Now, from a working VM in Azure,

Open a CMD as Admin.

Run nslookup <YOUR SERVER NAME>.postgres.database.azure.com

And share the result

Cheers,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T11:36:09.2666667+00:00

@KapilAnanth-MSFT can you please open private chat comment.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T11:41:28.27+00:00

@Brijesh Muliya

I am afraid we do not have private chat feature in Q&A Forum.

I would very much appreciate if you can share the screenshots requested here.

You can redact the name of the Database and IP, I just want to check if the resolution works or not.

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-08T12:14:12.52+00:00

@KapilAnanth-MSFT Hi,

Kindly find details in below image. I dnt have VM so not able to share you the details from VM.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-08T12:54:25.9633333+00:00

@Brijesh Muliya

Is this configuration working with a VM in Azure to begin with?

First you have to validate this.

Only if the above works, we can extend this to P2S Clients.

Also, from your image,

Did you get an address for the DNS query? And you have redacted it?

If so, was it a Public IP or Private IP?

Or was the "Address" field empty?

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-09T12:58:46.0466667+00:00

Hi @KapilAnanth-MSFT ,

To answer the above question, yes I am getting the correct public IP of the DB with FQDN while connected to VPN or without VPN.

Now, as you suggested, I have created a VM and installed a VPN, and from there also, I am getting the same result.

now then when I enable option "Allow public access from any Azure service within Azure to this server" in that database then with or without VPN i can connect to the database from the VPN but not from the local.

just to inform: I have DNS private resolver enabled for cosmos DB and the IP I got from the inbound rule of the DNS private resolver. I have added to DNS server of the virtual network where my VPN is configured to access internal resources. and i in cosmos DB i got the option to add virtual network and allow azure services option in private network integration where i have created private endpoint and private DNS zone for cosmos DB.
Brijesh Muliya 46 Reputation points

2023-06-09T13:07:47.2366667+00:00

.....
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-09T13:52:17.1+00:00

@Brijesh Muliya

In that case, P2S connections should work.

What is the error message you are seeing when you try to connect from a P2S Client?

Open a Powershell window from the client and run tnc <YOUR SERVER NAME>.postgres.database.azure.com -p 5432 and share the results please
Brijesh Muliya 46 Reputation points

2023-06-09T14:10:05.74+00:00

@KapilAnanth-MSFT

I get the connection timeout expired error from pgAdmin.

and with tnc command i got below result.
pharmaday pharmaday.com 0 Reputation points

2023-06-09T14:12:19.24+00:00

thanks for helpfully information
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-12T04:51:16.1266667+00:00

@Brijesh Muliya

To troubleshoot the exact issue, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft.Com with the below details.

Subject : Attn Kaananth | Azure Database for PostgreSQL flexible servers with Point to site VPN

Thread URL: Link to this thread.

Subscription ID : Subscription ID of the VPN gateway
Brijesh Muliya 46 Reputation points

2023-06-14T10:21:03.05+00:00

@KapilAnanth-MSFT

sorry for the delay, are you available today, so i can just send mail for technical support.?
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2023-06-14T10:22:40.1033333+00:00

@Brijesh Muliya

Sure, please go ahead.

Thanks,

Kapil
Brijesh Muliya 46 Reputation points

2023-06-14T10:38:54.99+00:00

@KapilAnanth-MSFT can you please share the email to send to?
Brijesh Muliya 46 Reputation points

2023-06-14T10:40:06.8166667+00:00

@KapilAnanth-MSFT,

just sent to "azcommunity@microsoft.com"
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-06-23T14:24:48.59+00:00

Hello @Brijesh Muliya ,

I checked the support request that was created for this issue and found the below summary:

Issue: Restrict access to Azure Database for PostgreSQL flexible server

Cause: You wanted to restrict access to the SQL server only from your P2S VPN and specific Vnets.

Resolution: Proposed private endpoint and Vnet integration but you mentioned that some of your resources won't be able to connect to the SQL server in such a case.

As a workaround, support proposed a VM to which the P2S VPN clients could connect and from the VM the SQL server could be reached. Access to the VM could be restricted by an NSG.

Could you please let us know if this workaround helped you achieve your requirement?

Regards,

Gita
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-06-30T13:25:18.67+00:00

@Brijesh Muliya , could you please provide an update on this post? Please let us know if the workaround recommended by support team helped you achieve your requirement.

Answer 1

@Brijesh Muliya

Welcome to the Microsoft Q&A Platform. Thank you for taking the time to work with us.

Our internal support team provided the below summary:

Issue:

Restrict access to Azure Database for PostgreSQL flexible server

Cause:

You wanted to restrict access to the SQL server only from your P2S VPN and specific Vnets.

Resolution:

Proposed private endpoint and Vnet integration but you mentioned that some of your resources won't be able to connect to the SQL server in such a case.
As a workaround, support proposed a VM to which the P2S VPN clients could connect and from the VM the SQL server could be reached. Access to the VM could be restricted by an NSG.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Azure Database for PostgreSQL flexible servers with Point to site VPN

1 answer

Your answer