How to create private endpoint for postgres SQL flexible server?

Kenny Wong (HK) 105 Reputation points
2024-05-03T02:54:55.9833333+00:00

I am unable to create a private endpoint for my postgres SQL flexible server

My bicep file is like this

// Parameters
param location string
//param env string
param nameAffix string
param administratorLogin string
// existing resource name params 
param vnetName string
param privateEndpointsSubnetName string
param pgSQLSubnetName string

@description('Virtual Network RuleName')
param virtualNetworkRuleName string = 'AllowSubnet'

@secure()
param administratorLoginPassword string

// Variables
var serverName = 'psql-${nameAffix}-${uniqueString(resourceGroup().id)}'

var pgsqlPrivateEndpointName = 'pep-${serverName}'
var pgsqlDnsZoneName = 'privatelink.postgres.database.azure.com'
var pgsqlDnsGroupName = '${pgsqlPrivateEndpointName}/default'

// ---- Existing resources ----
resource vnet 'Microsoft.Network/virtualNetworks@2022-11-01' existing =  {
  name: vnetName

  resource privateEndpointsSubnet 'subnets' existing = {
    name: privateEndpointsSubnetName
  }

  resource pgSQLSubnet 'subnets' existing = {
    name: pgSQLSubnetName
  }

}


// Postgres
resource server 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
  name: serverName
  location: location
  sku: {
    name: 'Standard_D4ds_v4'
    tier: 'GeneralPurpose'
  }
  properties: {
    version: '16'
    administratorLogin: administratorLogin
    administratorLoginPassword: administratorLoginPassword
    network: {
      delegatedSubnetResourceId: vnet::pgSQLSubnet.id
      privateDnsZoneArmResourceId: pgsqlDnsZone.id
    }
    highAvailability: {
      mode: 'Disabled'
    }
    storage: {
      storageSizeGB: 128
    }
    backup: {
      backupRetentionDays: 7
      geoRedundantBackup: 'Disabled'
    }
  }
  resource virtualNetworkRule 'virtualNetworkRules' = {
    name: virtualNetworkRuleName
    properties: {
      virtualNetworkSubnetId: vnet::pgSQLSubnet.id
      ignoreMissingVnetServiceEndpoint: true
    }
  }

}

// private endpoint
resource pgsqlPrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-11-01' = {
  name: pgsqlPrivateEndpointName
  location: location
  properties: {
    subnet: {
      id: vnet::privateEndpointsSubnet.id
    }
    privateLinkServiceConnections: [
      {
        name: pgsqlPrivateEndpointName
        properties: {
          privateLinkServiceId: server.id
          groupIds: [
            'postgresqlServer'
          ]
        }
      }
    ]
  }
}

resource pgsqlDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
  name: pgsqlDnsZoneName
  location: 'global'
  properties: {}
}

resource psqlDnsZoneLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
  parent: pgsqlDnsZone
  name: '${pgsqlDnsZoneName}-link'
  location: 'global'
  properties: {
    registrationEnabled: false
    virtualNetwork: {
      id: vnet.id
    }
  }
}

resource pgsqlDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-11-01' = {
  name: pgsqlDnsGroupName
  properties: {
    privateDnsZoneConfigs: [
      {
        name: pgsqlDnsZoneName
        properties: {
          privateDnsZoneId: pgsqlDnsZone.id
        }
      }
    ]
  }
  dependsOn: [
    pgsqlPrivateEndpoint
  ]
}


The error I got from deployment of the bicep above is

The given server xxxxxxxxxxxxxx does not support private endpoint feature. Please create a new server that is private endpoint capable. Refer to https://aka.ms/pgflex-pepreview for more details.

My desired architecture is something similar to this

azure bicep query

With jumphost in one subnet, app service app in one subnet, private endpoint in one subnet, postgres sql flexible server in one subnet and the jumpost and app service can access the postgres sql flexible server via the private endpoint

Is it feasible on Azure and how to set it up with bicep?

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
514 questions
Azure Database for PostgreSQL
{count} votes

1 answer

Sort by: Most helpful
  1. ShaktiSingh-MSFT 15,341 Reputation points
    2024-05-09T09:21:17.8466667+00:00

    Hi Kenny Wong (HK) •,

    Thanks for your patience.

    I have got the below reply from the internal team:

    It is possible to do so by BICEP, indeed. However, for PostgreSQL Flexible Server, you cannot create a private endpoint for an instance that has been deployed with Private access (VNET Integration).

    Regarding the error you receive, it is suggested to please file a support ticket for deeper investigation and in case if you don't have a support plan, do let us know here so that we can check on other options to unblock you.

    Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.