![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Ravinandan
Thanks for contacting to Microsoft QA, we have reviewed your question and to address your query about setting up stable and secure network connectivity for replicating data between two Azure subscriptions using Azure Database for PostgreSQL Flexible Server—without relying on the default replica feature—here’s a comprehensive breakdown of the latest best practices and insights.
Recommended Network Setup for Cross-Subscription Replication
To replicate data from Subscription A to Subscription B securely and reliably, bypassing the default replica feature, the following architecture is recommended:
Use VNet Peering Across Subscriptions and Tenants
- Establish VNet peering between the virtual networks hosting the source and target PostgreSQL servers. This allows private IP communication between servers across subscriptions—even across different tenants. [Create Vir...Azure ...]
- Ensure that both VNets are in supported Azure regions and that their IP ranges do not overlap.
- Assign appropriate IAM roles (e.g., Network Contributor) to users managing the peering setup. [Create Vir...Azure ...]
Private Access with VNet Integration
- Deploy both PostgreSQL Flexible Servers with private access (VNet integration) to ensure traffic remains within Azure’s backbone and avoids public exposure. [Network wi...Azure ...]
- Use Private DNS Zones (e.g., privatelink.postgres.database.azure.com) to resolve server names internally. [Setting up...Azure ...]
Firewall and NSG Configuration
- Configure Network Security Groups (NSGs) to allow traffic between the peered VNets. Ensure that the PostgreSQL subnet allows inbound traffic from the application subnet. [Allowing c...o some ...]
Replication Setup
- Use logical replication with PostgreSQL’s native features:
- Create a publication on the source server.
- Create a subscription on the target server.
- Assign the REPLICATION role to the replication user.
- Ensure that the pg_hba.conf file on the source server allows connections from the target server’s IP. [Migrate On...soft Learn]
DNS and Connectivity Troubleshooting
- Validate DNS resolution from within PostgreSQL itself—not just from VMs in the same VNet. [Setting up...Azure ...]
- If DNS fails internally, consider using Fully Qualified Domain Names (FQDNs) or enabling public access temporarily for setup. [Setting up...rosoft Q&A]
Additional Considerations
- Replication Parameters: Tune parameters like max_sync_workers_per_subscription to optimize performance. [Replicatio...soft Learn]
- Security: Use SSL/TLS encryption, role-based access control (RBAC), and managed identities for secure data transfer. [Step-by-St...Event Hubs]
- Cross-Tenant Peering: If subscriptions belong to different tenants, follow the Microsoft guide for cross-tenant VNet peering. [Create Vir...Azure ...]
Useful Resources
- Microsoft Q&A: Setup Network Connectivity for Azure PostgreSQL Replication
- VNet Peering Across Tenants
- Private Access Networking for PostgreSQL Flexible Server
Thanks,
Vrishabh