Azure Backup for PostgreSQL Flexible Server - Protection Error: PostgreSQLFlexOperationFailedUserError

Question

Azure Backup for PostgreSQL Flexible Server - Protection Error: PostgreSQLFlexOperationFailedUserError

Kiarash Azarnia 5

Problem Description

I have configured Azure Backup for a PostgreSQL Flexible Server using Terraform. The PostgreSQL Flexible Server instance is healthy and running without issues, but the backup instance shows a "Protection Error" status with the following error:

Error Code: PostgreSQLFlexOperationFailedUserError Message: "Current operation has failed due to a user error." Protection Status: Protection Error

Infrastructure Configuration

Backup Vault:

System-assigned Managed Identity enabled
Soft delete: On (14 days retention)
Datastore type: VaultStore

RBAC Role Assignments:

Reader role assigned to Backup Vault's Managed Identity on the Resource Group scope
Backup Operator role assigned to Backup Vault's Managed Identity on the PostgreSQL Flexible Server scope

Backup Policy:

Daily backups at 02:00 UTC
Retention rules:
- Daily: 14 days (FirstOfDay)
  - Weekly: 30 days (FirstOfWeek)
    - Monthly: 365 days (FirstOfMonth)
      - Default: 365 days

Backup Instance:

Linked to the backup vault and policy
Server ID correctly references the PostgreSQL Flexible Server
Infrastructure Configuration
Backup Vault:
- System-assigned Managed Identity enabled
- Soft delete: On (14 days retention)
- Datastore type: VaultStore
RBAC Role Assignments:
1. Reader role assigned to Backup Vault's Managed Identity on the Resource Group scope
2. Backup Operator role assigned to Backup Vault's Managed Identity on the PostgreSQL Flexible Server scope
Backup Policy:
- Daily backups at 02:00 UTC
- Retention rules:
  - Daily: 14 days (FirstOfDay)
  - Weekly: 30 days (FirstOfWeek)
  - Monthly: 365 days (FirstOfMonth)
  - Default: 365 days
Backup Instance:
- Linked to the backup vault and policy
- Server ID correctly references the PostgreSQL Flexible Server

What I've Verified

✅ PostgreSQL Flexible Server is healthy and operational
✅ Backup Vault Managed Identity is created successfully
✅ Role assignments (Reader, Backup Operator) are in place
✅ Terraform apply completes without errors
✅ Dependencies are correctly set (role assignments created before backup policy/instance)

Questions

The error message PostgreSQLFlexOperationFailedUserError is vague. What specific permissions or configurations could be missing?
Is the Backup Operator role sufficient, or does the Managed Identity require additional roles such as PostgreSQL Flexible Server Long Term Retention Backup Role?
Are there any known issues with VaultStore backups for PostgreSQL Flexible Servers in the any region like eu-central?

Terraform Code Snippet


# Role Assignments

resource "azurerm_role_assignment" "cloudops_db_backup_vault_reader" {

  scope                = data.azurerm_resource_group.postgres_resource_group.id

  role_definition_name = "Reader"

  principal_id         = azurerm_data_protection_backup_vault.cloudops_db_backup_vault.identity.0.principal_id

}

resource "azurerm_role_assignment" "cloudops_db_backup_vault_backup_role" {

  scope                = azurerm_postgresql_flexible_server.postgresql.id

  role_definition_name = "Backup Operator"

  principal_id         = azurerm_data_protection_backup_vault.cloudops_db_backup_vault.identity.0.principal_id

}

# Backup Instance

resource "azurerm_data_protection_backup_instance_postgresql_flexible_server" "cloudops_general_db_backup_plan" {

  name             = "cloudops-general-db-backup-plan"

  location         = azurerm_postgresql_flexible_server.postgresql.location

  vault_id         = azurerm_data_protection_backup_vault.cloudops_db_backup_vault.id

  server_id        = azurerm_postgresql_flexible_server.postgresql.id

  backup_policy_id = azurerm_data_protection_backup_policy_postgresql_flexible_server.cloudops_db_backup_policy.id

}

Kiarash Azarnia 5 Reputation points

2026-01-22T17:01:33.96+00:00
I encountered a critical issue when configuring azurerm_postgresql_flexible_server with VNET Delegation enabled. There are two major behaviors to be aware of:

Silent Failure on Public Network Access If the cluster is set up with VNET Delegation, setting public_network_access_enabled = true is not supported by Azure. However, Terraform (Provider hashicorp/azurerm v4.57) incorrectly reports the apply as successful.

Observed Behavior: Terraform state updates, reporting "Apply complete," but the setting remains Disabled in the Azure Portal/Database.

Expected Behavior: Terraform should fail or throw an error indicating that public access cannot be enabled on a delegated subnet.

High Risk of Data Loss (Destructive Change) Attempting to fix the networking issue by removing the delegated_subnet_id (migrating away from VNET delegation for example creating a azurerm_private_endpoint instead) forces a resource replacement.

Versions:

Provider: hashicorp/azurerm ~> 4.57

Terraform Version: ~> 1.14

Snippet:

resource "azurerm_postgresql_flexible_server" "postgresql" { ... # If this is set, public_network_access_enabled MUST be false delegated_subnet_id = azurerm_subnet.postgresql.id private_dns_zone_id = azurerm_private_dns_zone.postgresql.id # This configuration is ignored by Azure if delegation is active, but Terraform does not error. # public_network_access_enabled = true ... }
VRISHABHANATH PATIL 5,250 Reputation points Microsoft External Staff Moderator

2026-01-22T20:28:58.6833333+00:00
Hi @Kiarash Azarnia

This behavior is expected and aligns with Azure’s networking design for PostgreSQL Flexible Server, rather than being a service issue or data loss risk.

Why Terraform “applies” but Azure shows Public access as Disabled

When delegated_subnet_id is configured, Azure enforces private‑only access for PostgreSQL Flexible Server. In this mode:

Public Network Access is not supported at all

Even if Terraform sets public_network_access_enabled = true, Azure silently overrides it to Disabled

Terraform completes successfully because the API call itself is accepted, but the platform enforces the final state

So what you’re seeing in the Azure portal is Azure enforcing a hard platform rule, not a failed deployment or inconsistent state.

Why Terraform throws an error when public access is enabled on a delegated subnet

Once a delegated subnet is in use:

Azure does not allow public access

Any attempt (via Terraform) to enable public access conflicts with this rule

The provider surfaces this as an error during subsequent applies

This is expected and intentional behavior.

Why removing the delegated subnet forces resource replacement

The networking mode (delegated subnet vs non‑delegated) is an immutable property for PostgreSQL Flexible Server.

Removing delegated_subnet_id means changing how the server is exposed on the network

Azure requires a new server to be provisioned to avoid routing, DNS, and data integrity issues

Terraform correctly marks this as a destructive change to protect against accidental data loss

This isn’t Terraform being aggressive—it’s a safeguard.

Recommended approach going forward

If you choose delegated subnet → Use private access only (no public endpoint)

If you need public access → Deploy the server without delegation from the start

To switch models safely:

Deploy a new PostgreSQL Flexible Server

Migrate data using logical backup/restore or replication

Cut over traffic once validated

2 answers

Your answer

Kiarash Azarnia 5 Reputation points

2026-01-22T17:01:33.96+00:00

I encountered a critical issue when configuring azurerm_postgresql_flexible_server with VNET Delegation enabled. There are two major behaviors to be aware of:

Silent Failure on Public Network Access If the cluster is set up with VNET Delegation, setting public_network_access_enabled = true is not supported by Azure. However, Terraform (Provider hashicorp/azurerm v4.57) incorrectly reports the apply as successful.

Observed Behavior: Terraform state updates, reporting "Apply complete," but the setting remains Disabled in the Azure Portal/Database.

Expected Behavior: Terraform should fail or throw an error indicating that public access cannot be enabled on a delegated subnet.

High Risk of Data Loss (Destructive Change) Attempting to fix the networking issue by removing the delegated_subnet_id (migrating away from VNET delegation for example creating a azurerm_private_endpoint instead) forces a resource replacement.

Versions:

Provider: hashicorp/azurerm ~> 4.57

Terraform Version: ~> 1.14

Snippet:

resource "azurerm_postgresql_flexible_server" "postgresql" { ... # If this is set, public_network_access_enabled MUST be false delegated_subnet_id = azurerm_subnet.postgresql.id private_dns_zone_id = azurerm_private_dns_zone.postgresql.id # This configuration is ignored by Azure if delegation is active, but Terraform does not error. # public_network_access_enabled = true ... }

Answer 1

Pilladi Padma Sai Manisha 3,875 Microsoft External Staff Moderator

Hi Kiarash Azarnia,
Thank you for Reaching microsoft Q&A!.
We’ve reviewed your configuration and the PostgreSQL Flexible Server itself is healthy. The Protection Error you’re seeing is not caused by Terraform or the backup policy, but by a missing service prerequisite.

For Azure Backup (VaultStore) with PostgreSQL Flexible Server, RBAC permissions alone are not sufficient. During protection enablement and backup validation, the Azure Backup service must be able to reach the PostgreSQL server over the network.

In your current setup, the issue is caused by one or both of the following:

Public network access is disabled on the PostgreSQL Flexible Server, or “Allow Azure services to access this server” is not enabled in the firewall settings.

When the backup service cannot connect to the server, the platform returns the generic error PostgreSQLFlexOperationFailedUserError, even though the server itself is healthy.

To resolve the issue, please ensure the following:

Enable Public network access on the PostgreSQL Flexible Server. Under Firewall rules, enable Allow public access from Azure services.

Additionally, please note that the Backup Operator role is not the correct role for PostgreSQL Flexible Server backups. The Backup Vault’s managed identity must be assigned the PostgreSQL Flexible Server Backup Operator role at the server scope. No Long-Term Retention role is required for Flexible Server backups.

There are no known regional issues with VaultStore backups for PostgreSQL Flexible Server in eu-central or other regions.

After updating the firewall settings and correcting the role assignment, allow a few minutes for propagation and then retry the protection operation. The backup instance should automatically transition from Protection Error to Protected.

If you want, I can also help validate the exact role definition name in Terraform to avoid RBAC mismatches.

Kiarash Azarnia 5 Reputation points

2026-01-20T14:35:49.2666667+00:00
Thanks for the response. @Pilladi Padma Sai Manisha

I’ll update the firewall and let you know if that resolves the issue.

Could you also help me identify the correct IAM role to use in Terraform?

Additionally, I’d appreciate guidance on how to configure this without enabling public access on the database, as that poses a security risk, or please clarify if it is the only way so I can decide on the risk management side.
Pilladi Padma Sai Manisha 3,875 Reputation points Microsoft External Staff Moderator

2026-01-21T01:48:55.0066667+00:00

Hi Kiarash Azarnia
Thanks for checking.

Correct IAM role: For Azure Backup (VaultStore) with PostgreSQL Flexible Server, assign the PostgreSQL Flexible Server Backup Operator role to the Backup Vault’s managed identity at the server scope. The generic Backup Operator and Long Term Retention Backup roles are not used for this scenario.

Regarding public access: Currently, enabling public network access with “Allow Azure services” is required for Azure Backup to function with PostgreSQL Flexible Server. Private Endpoin-only access is not supported for VaultStore backups at this time.

To minimize risk, you can enable public access without adding IP rules this allows access only from trusted Azure services such as Azure Backup.

Please apply these changes and retry the protection operation. Let us know how it goes.

Kiarash Azarnia 5

thanks again @Pilladi Padma Sai Manisha

We can not use VNET Delegation with Public Access in the same time, I should use PrivateEndpoint to save my private connection, am I correct?

Also could you guide me which terraform resource should I use to make sure the firewall is configured correctly, is this snippet correct?



# Security Warning: This rule (0.0.0.0) allows network access from ANY Azure resource, 
# including other tenants. It is currently required for Azure Backup (Vaulted) connectivity
# More details: https://learn.microsoft.com/en-us/answers/questions/5727614/azure-backup-for-postgresql-flexible-server-protec
resource "azurerm_postgresql_flexible_server_firewall_rule" "allow_azure_services" {
  name             = "AllowAzureServices"
  server_id        = azurerm_postgresql_flexible_server.postgresql.id
  start_ip_address = "0.0.0.0"
  end_ip_address   = "0.0.0.0"
}

Kiarash Azarnia 5 Reputation points

2026-01-21T15:37:34.9066667+00:00

by the way, the role mentioned, "PostgreSQL Flexible Server Backup Operator", seems not existing, could you provide a link to the exact document describing the role?

@Pilladi Padma Sai Manisha
Pilladi Padma Sai Manisha 3,875 Reputation points Microsoft External Staff Moderator

2026-01-27T11:02:56.6233333+00:00
Hi Kiarash Azarnia
Sorry for delay in Response.
Thanks for the clarification.

VNET delegation vs Public access Yes, your understanding is correct. A PostgreSQL Flexible Server cannot be Private Endpoint–only and still work with Azure Backup (VaultStore). At this time, Azure Backup requires public network access with “Allow Azure services” enabled, even if the server is deployed using VNET delegation. Private Endpoint–only connectivity is not supported for VaultStore backups today.

Firewall configuration (Terraform) Your Terraform snippet is correct and is the supported way to enable Azure Backup connectivity:

resource "azurerm_postgresql_flexible_server_firewall_rule" "allow_azure_services" { name = "AllowAzureServices" server_id = azurerm_postgresql_flexible_server.postgresql.id start_ip_address = "0.0.0.0" end_ip_address = "0.0.0.0" }

This does not expose the server to arbitrary internet traffic; it allows access only from Azure platform services, including Azure Backup.

IAM role clarification Apologies for the confusion earlier. The exact built-in role name required is:

PostgreSQL Flexible Server Backup Operator

This role must be assigned to the Backup Vault’s managed identity at the PostgreSQL server scope. There is no separate role named “Azure Backup to function with PostgreSQL Flexible Server.”

Once the firewall rule and correct role are in place, allow a few minutes for propagation and retry enabling protection. The backup instance should move to Protected automatically.

https://learn.microsoft.com/en-us/azure/backup/tutorial-create-first-backup-azure-database-postgresql-flex
https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-overview
Pilladi Padma Sai Manisha 3,875 Reputation points Microsoft External Staff Moderator

2026-01-29T00:45:00.5333333+00:00

Hi Kiarash Azarnia,
I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Kiarash Azarnia 5 Reputation points

2026-01-29T14:34:45.0533333+00:00

Thank you @Pilladi Padma Sai Manisha and @Vrishabhanath Patil

I'll plan to migrate the db to enable vaulted backup. As feedback, I think it would be better to return an error when the database is using VNet delegation and cannot use a public endpoint. This is preferable to providing a success result via the API and then fixing it asynchronously, which creates an inconsistent Terraform state with the actual infrastructure configuration.
Pilladi Padma Sai Manisha 3,875 Reputation points Microsoft External Staff Moderator

2026-01-30T01:22:09.83+00:00

Hi Kiarash Azarnia,
Thank you for sharing your feedback, and your observation is valid.

At present, Azure Backup for PostgreSQL Flexible Server performs validation asynchronously. As a result, the API and Terraform may report a successful configuration even when network prerequisites (such as VNet delegation without public access) prevent the backup operation from succeeding. This can lead to a temporary inconsistency between the Terraform state and the actual protection status.

Given the current service behavior, migrating the database to a configuration that supports Azure Backup connectivity is the correct approach.

If you need assistance validating the new setup or have questions during the migration, please let us know and we’ll be happy to help.
VRISHABHANATH PATIL 5,250 Reputation points Microsoft External Staff Moderator

2026-02-02T04:58:12.8466667+00:00

Hi Kiarash Azarnia,

Did you get any chance to review the above response. Do let me know if you have any further queries.

Answer 2

The error code PostgreSQLFlexOperationFailedUserError signifies a user error during the backup operation for your PostgreSQL Flexible Server. Here are some specific areas to investigate and potential solutions:

Permissions: While you have assigned the Backup Operator role, it may be beneficial to also assign the PostgreSQL Flexible Server Long Term Retention Backup Role. This role provides additional permissions that might be necessary for successful backup operations.
Server State: Confirm that your PostgreSQL Flexible Server is in a valid state for backups. The server's state should be reflected as "state": "Ready" in its resource JSON. If it is not in this state, you will need to wait for it to become ready or address any underlying issues.
Resource Validity: Ensure that both the resource group and the PostgreSQL Flexible Server instance are correctly referenced and exist. Errors such as ResourceGroupNotFound or ResourceNotFound can indicate issues with these references.
Backup Frequency: Be cautious about the frequency of your backup operations. If you are attempting to run backups too frequently, you may encounter the maximum concurrent operation limit. The recommended backup frequency is weekly, so ensure you are not exceeding this limit.
Regional Issues: Lastly, check for any known issues with VaultStore backups for PostgreSQL Flexible Servers in the eu-central region. It may be helpful to consult Azure's documentation or support for any specific issues that could be affecting your backup operations.

By addressing these areas, you should be able to troubleshoot and resolve the protection error you are experiencing.

Share via

Azure Backup for PostgreSQL Flexible Server - Protection Error: PostgreSQLFlexOperationFailedUserError

Problem Description

Infrastructure Configuration

Infrastructure Configuration

What I've Verified

Questions

Terraform Code Snippet

2 answers

Your answer