Cannot connect to Azure DB for PostgresSQL flexible from different vnet

Question

Cannot connect to Azure DB for PostgresSQL flexible from different vnet

Wilde, Andrew 0

Hi, we cannot connect from an AKS pod running in one VNET to an Azure DB for PostgreSQL flexible server running in a different VNET. We can connect from an AKS pod running in the same VNET. The error is demonstrated by running curl from the pod:

curl -v redactedname.postgres.database.azure.com:5432*
** Trying 10.77.0.212:5432...*
** connect to 10.77.0.212 port 5432 failed: Connection timed out*

We have configured private access to the Azure Database for PostgreSQL flexible server according to the documentation https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private#virtual-network-concepts. Our setup is similar to that shown in diagram (attached) from the article, where the green arrow shows a successful connection from an AKS cluster in the same VNET, whereas the red arrow shows unsuccessful (timed out) connection from AKS cluster in another VNET. The VNETs are peered using a hub and spoke model and we know this is working for other use-cases between the same VNETs, so we do not think this is the problem. The private access to the Flexible Server has been configured according to the documentation link above:

Delegated subnet
Subnet configured with CIDR range of /28 to give 16 IP addresses.
There are no Route Tables associated to the subnet.
HA is not configured
The Network Security Group associated to subnet has been configured to allow inbound traffic on from AKS cluster to the server on port 5432

The problem seem to be when the request reaches the subnet of the PostgreSQL server (or the server itself) since the flow logs of the NSG associated to subnet show initial connections being established, but without packets being sent:

"rule": "UserRule_postgres_allow",

"flows": [

{

"mac": "6045BDF210A3",

"flowTuples": [

"1718283991,10.76.0.180,10.77.0.212,57622,5432,T,I,A,B,,,,",

"1718284008,10.76.0.180,10.77.0.212,32802,5432,T,I,A,B,,,,",

"1718284041,10.76.0.180,10.77.0.212,36740,5432,T,I,A,B,,,,"

]

}

]

}

Any help with this would be greatly appreciated.

Thanks,

Andy.

Oury Ba-MSFT 21,016 Reputation points Microsoft Employee Moderator

2024-07-09T20:01:13.7833333+00:00

@Wilde, Andrew Thank you for reaching out and sorry about the issue you are facing.

Seems like you’re facing connectivity issues when trying to connect from an AKS pod in one VNET to an Azure Database for PostgreSQL flexible server in a different VNET.

If they are using a custom DNS server, you will need to set up a conditional DNS forwarder as mentioned below.

Ensure that the DNS configuration is correct. If you are using a custom DNS, you will need to set up a conditional DNS forwarder to forward the PostgreSQL domain to Azure DNS for each DNS server. This is necessary because the flexible server VNET integration only supports Azure DNS server.

https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/dns-configuration-patterns-for-azure-database-for-postgresql/ba-p/2560287
Wilde, Andrew 0 Reputation points

2024-07-10T13:19:27.91+00:00

Thanks for the response. We are not using a custom DNS and if I do nslookup to the server FQDN then an IP address is found, so I don't think this is a DNS issue. Also the NSG flow logs seem to indicate traffic reaching at least the subnet containing the Azure Database for PostgreSQL flexible server. This is why I think the problem is with subnet or maybe the server itself.
Oury Ba-MSFT 21,016 Reputation points Microsoft Employee Moderator

2024-07-10T18:50:34.8566667+00:00

Wilde, Andrew

Thank you for getting back. It will be difficult to pinpoint the exact cause of the issue without looking into your environment. I would suggest opening a support ticket so we can further investigate.

Regards,

Oury
Matt Hunt 0 Reputation points

2024-11-25T17:17:28.4266667+00:00

I'm getting exactly the same issue. Did you resolve it? @Andrew Wilde

2 answers

Your answer

Oury Ba-MSFT 21,016 Reputation points Microsoft Employee Moderator

2024-07-09T20:01:13.7833333+00:00

@Wilde, Andrew Thank you for reaching out and sorry about the issue you are facing.

Seems like you’re facing connectivity issues when trying to connect from an AKS pod in one VNET to an Azure Database for PostgreSQL flexible server in a different VNET.

If they are using a custom DNS server, you will need to set up a conditional DNS forwarder as mentioned below.

Ensure that the DNS configuration is correct. If you are using a custom DNS, you will need to set up a conditional DNS forwarder to forward the PostgreSQL domain to Azure DNS for each DNS server. This is necessary because the flexible server VNET integration only supports Azure DNS server.

https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/dns-configuration-patterns-for-azure-database-for-postgresql/ba-p/2560287
Wilde, Andrew 0 Reputation points

2024-07-10T13:19:27.91+00:00

Thanks for the response. We are not using a custom DNS and if I do nslookup to the server FQDN then an IP address is found, so I don't think this is a DNS issue. Also the NSG flow logs seem to indicate traffic reaching at least the subnet containing the Azure Database for PostgreSQL flexible server. This is why I think the problem is with subnet or maybe the server itself.
Oury Ba-MSFT 21,016 Reputation points Microsoft Employee Moderator

2024-07-10T18:50:34.8566667+00:00

Wilde, Andrew

Thank you for getting back. It will be difficult to pinpoint the exact cause of the issue without looking into your environment. I would suggest opening a support ticket so we can further investigate.

Regards,

Oury
Matt Hunt 0 Reputation points

2024-11-25T17:17:28.4266667+00:00

I'm getting exactly the same issue. Did you resolve it? @Andrew Wilde

Answer 1

Yes by raising a support request. Here's a summary of the findings:

Issue: Transitive between spokes is not possible, reviewing the configuration it appears that we have it partially configured based on our documentation:

https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli#spoke-connections-through-azure-firewall-or-nva

Summary: Route Tables with specific UDRs for both Spoke VNETs are needed to facilitate a path to the HUB VNET

Solution: Customer’s Network team was successful in updating the Spoke VNET’s Route tables to send traffic for the neighboring spoke to a common virtual appliance, in our case it was the Azure Firewall in the Hub VNET.

Answer 2

Hi @Wilde, Andrew I am glad issue was fixed. Thank you for sharing the solution with the community.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: Transitive between spokes is not possible, reviewing the configuration it appears that we have it partially configured based on our documentation:

https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke?tabs=cli#spoke-connections-through-azure-firewall-or-nva

Summary: Route Tables with specific UDRs for both Spoke VNETs are needed to facilitate a path to the HUB VNET

Solution: Customer’s Network team was successful in updating the Spoke VNET’s Route tables to send traffic for the neighboring spoke to a common virtual appliance, in our case it was the Azure Firewall in the Hub VNET.

Share via

Cannot connect to Azure DB for PostgresSQL flexible from different vnet

2 answers

Your answer