How do I make PostgreSQL DBaaS available publicly and to Azure private VNets?

IT Admin 0 Reputation points
2024-01-22T06:45:11.55+00:00

Hi,

We are provisioning a PostgreSQL DBaaS instance in Azure and we need it to be available from a public IP and from within an Azure private VNet where an app server will be connecting to it. My question is:

  • Do we provision it as publicly available and then (somehow) allow specific VMs on private networks access to it?
  • Do we provision it on its own VNet and then (somehow) allow specific public IPs access to it?.

I would rather not have any Azure service accessing it (whether it belongs to us or not) which is an option, but I can’t remember which of the 2 modes it is associated with.

Thanks,
GAM

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,644 questions
Azure Database for PostgreSQL
{count} votes

1 answer

Sort by: Most helpful
  1. Oury Ba-MSFT 20,341 Reputation points Microsoft Employee
    2024-01-24T15:34:58.85+00:00

    @IT Admin
    Thank you for reaching out.Based on my understanding you are looking for private and public access at the same time, I think this will be a good option to have https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private-link , regarding to the two option you mentioned, with private link you can follow any of them, because you can provision with private and enable public and vice versa. Like the below example:

     User's image

    More information: The following characteristic apply whether you choose to use the private access or the public access option:

    • The server has a fully qualified domain name (FQDN). For the hostname property in connection strings, we recommend using the FQDN instead of an IP address.

    For public access, (allowed IP and private endpoint)

    Choose this networking option if you want the following capabilities:

    • Connect from Azure resources that don't support virtual networks.
    • Connect from resources outside Azure that are not connected by VPN or ExpressRoute.
    • Ensure that the Azure Database for PostgreSQL flexible server instance has a public endpoint that's accessible through the internet.

    For private access with Vnet

    Choose this networking option if you want the following capabilities:

    • Connect from Azure resources in the same virtual network to your Azure Database for PostgreSQL flexible server instance by using private IP addresses.
    • Use VPN or Azure ExpressRoute to connect from non-Azure resources to your Azure Database for PostgreSQL flexible server instance.
    • Ensure that the Azure Database for PostgreSQL flexible server instance has no public endpoint that's accessible through the internet.

    All the above is documented here

    With public access, the Azure Database for PostgreSQL flexible server instance is accessed through a public endpoint. By default, the firewall blocks all access to the server. To specify which IP hosts can access the server, you create server-level firewall rules. Firewall rules specify allowed public IP address ranges. The firewall grants access to the server based on the originating IP address of each request. With private access no public endpoint is available and only hosts located on the same network can access Azure Database for PostgreSQL flexible server.

    I would suggest going through the below doc for a better understanding of private link in Azure PaaS PostgreSQL flex.

    Firewall rules in Azure Database for PostgreSQL - Flexible Server

    Azure Database for PostgreSQL - Flexible Server networking with Private Link - Preview

    Regards,

    Oury


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.