Enable private access in Azure Cosmos DB for PostgreSQL


Private access allows resources in an Azure virtual network to connect securely and privately to nodes in a cluster. This how-to assumes you've already created a virtual network and subnet. For an example of setting up prerequisites, see the private access tutorial.

Create a cluster with a private endpoint

  1. Select Create a resource in the upper left-hand corner of the Azure portal.
  2. On the Create a resource page, select Databases, and then select Azure Cosmos DB.
  3. On the Select API option page, on the PostgreSQL tile, select Create.
  4. On the Create an Azure Cosmos DB for PostgreSQL cluster page, select or create a Resource group, enter a Cluster name and Location, and enter and confirm the administrator Password.
  5. Select Next: Networking.
  6. On the Networking tab, for Connectivity method, select Private access.
  7. On the Create private endpoint screen, enter or select appropriate values for:
    • Resource group
    • Location
    • Name
    • Target sub-resource
    • Virtual network
    • Subnet
    • Integrate with private DNS zone
  8. Select OK.
  9. After you create the private endpoint, select Review + create and then select Create to create your cluster.

Enable private access on an existing cluster

To create a private endpoint to a node in an existing cluster, open the Networking page for the cluster.

  1. Select Add private endpoint.

    Screenshot of selecting Add private endpoint on the Networking screen.

  2. On the Basics tab of the Create a private endpoint screen, confirm the Subscription, Resource group, and Region. Enter a Name for the endpoint, such as my-cluster-1, and a Network interface name, such as my-cluster-1-nic.


    Unless you have a good reason to choose otherwise, we recommend picking a subscription and region that match those of your cluster. The default values for the form fields might not be correct. Check them and update if necessary.

  3. Select Next: Resource. For Target sub-resource, choose the target node of the cluster. Usually coordinator is the desired node.

  4. Select Next: Virtual Network. Choose the desired Virtual network and Subnet. Under Private IP configuration, select Statically allocate IP address or keep the default, Dynamically allocate IP address.

  5. Select Next: DNS.

  6. Under Private DNS integration, for Integrate with private DNS zone, keep the default Yes or select No.

  7. Select Next: Tags, and add any desired tags.

  8. Select Review + create. Review the settings, and select Create when satisfied.

Next steps