Networking overview for Azure Database for PostgreSQL - Flexible Server
APPLIES TO: Azure Database for PostgreSQL - Flexible Server
This article describes connectivity and networking concepts for Azure Database for PostgreSQL - Flexible Server.
When you create an Azure Database for PostgreSQL - Flexible Server instance (a flexible server), you must choose one of the following networking options: Private access (VNet integration) or Public access (allowed IP addresses).
You can't change your networking option after the server is created.
The following characteristics apply whether you choose to use the private access or the public access option:
- Connections from allowed IP addresses need to authenticate to the PostgreSQL server with valid credentials.
- Connection encryption is enforced for your network traffic.
- The server has a fully qualified domain name (FQDN). For the
hostnameproperty in connection strings, we recommend using the FQDN instead of an IP address.
- Both options control access at the server level, not at the database or table level. You would use PostgreSQL's roles properties to control database, table, and other object access.
Because Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as
pg_hba.conf. The content of the files is automatically updated based on the network settings.
Private access (VNet integration)
You can deploy a flexible server into your Azure virtual network (VNet). Azure virtual networks provide private and secure network communication. Resources in a virtual network can communicate through private IP addresses that were assigned on this network.
Choose this networking option if you want the following capabilities:
- Connect from Azure resources in the same virtual network to your flexible server by using private IP addresses.
- Use VPN or Azure ExpressRoute to connect from non-Azure resources to your flexible server.
- Ensure that the flexible server has no public endpoint that's accessible through the internet.
In the preceding diagram:
- Flexible servers are injected into subnet 10.0.1.0/24 of the VNet-1 virtual network.
- Applications that are deployed on different subnets within the same virtual network can access flexible servers directly.
- Applications that are deployed on a different virtual network (VNet-2) don't have direct access to flexible servers. You have to perform virtual network peering for a private DNS zone before they can access the flexible server.
Virtual network concepts
An Azure virtual network contains a private IP address space that's configured for your use. Your virtual network must be in the same Azure region as your flexible server. To learn more about virtual networks, see the Azure Virtual Network overview.
Here are some concepts to be familiar with when you're using virtual networks with PostgreSQL flexible servers:
Delegated subnet. A virtual network contains subnets (sub-networks). Subnets enable you to segment your virtual network into smaller address spaces. Azure resources are deployed into specific subnets within a virtual network.
Your flexible server must be in a subnet that's delegated. That is, only Azure Database for PostgreSQL - Flexible Server instances can use that subnet. No other Azure resource types can be in the delegated subnet. You delegate a subnet by assigning its delegation property as
Microsoft.DBforPostgreSQL/flexibleServers. The smallest CIDR range you can specify for a subnet is /28, which provides fourteen IP addresses, however the first and last address in any network or subnet can't be assigned to any individual host. Azure reserves five IPs to be utilized internally by Azure networking, which include two IPs that cannot be assigned to host, mentioned above. This leaves you eleven available IP addresses for /28 CIDR range, whereas a single Flexible Server with High Availability features utilizes 4 addresses.
GatewaySubnetare reserved within Azure. Don't use any of these as your subnet name.
Network security group (NSG). Security rules in NSGs enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. For more information, see the NSG overview.
Application security groups (ASGs) make it easy to control Layer-4 security by using NSGs for flat networks. You can quickly:
- Join virtual machines to an ASG, or remove virtual machines from an ASG.
- Dynamically apply rules to those virtual machines, or remove rules from those virtual machines.
For more information, see the ASG overview.
At this time, we don't support NSGs where an ASG is part of the rule with Azure Database for PostgreSQL - Flexible Server. We currently advise using IP-based source or destination filtering in an NSG.
High availability Features of Azure Database for PostgreSQL - Flexible Server require ability to send\receive traffic to destination ports 5432, 6432 within Azure virtual network subnet where Azure Database for PostgreSQL - Flexible Server is deployed , as well as to Azure storage for log archival. If you create Network Security Groups (NSG) to deny traffic flow to or from your Azure Database for PostgreSQL - Flexible Server within the subnet where its deployed, please make sure to allow traffic to destination ports 5432 and 6432 within the subnet, and also to Azure storage by using service tag Azure Storage as a destination.
Private DNS zone integration. Azure private DNS zone integration allows you to resolve the private DNS within the current virtual network or any in-region peered virtual network where the private DNS zone is linked.
Using a private DNS zone
If you use the Azure portal or the Azure CLI to create flexible servers with a virtual network, a new private DNS zone is automatically provisioned for each server in your subscription by using the server name that you provided.
If you use an Azure API, an Azure Resource Manager template (ARM template), or Terraform, create private DNS zones that end with
.postgres.database.azure.com. Use those zones while configuring flexible servers with private access. For example, use the form
[name].postgres.database.azure.com. If you choose to use the form
[name].postgres.database.azure.com, the name can't be the name you use for one of your flexible servers or an error message will be shown during provisioning. For more information, see the private DNS zones overview.
When using private network access with Azure virtual network, providing the private DNS zone information is mandatory across various interfaces, including API, ARM, and Terraform. Therefore, for new Azure Database for PostgreSQL Flexible Server creation using private network access with API, ARM, or Terraform, create private DNS zones and use them while configuring flexible servers with private access. See more information on REST API specifications for Microsoft Azure. If you use the Azure portal or Azure CLI for creating flexible servers, you can either provide a private DNS zone name that you had previously created in the same or a different subscription or a default private DNS zone is automatically created in your subscription.
Using Azure Portal, CLI or ARM, you can also change private DNS Zone from the one you provided when creating your Azure Database for PostgreSQL - Flexible Server to another private DNS zone that exists the same or different subscription.
Ability to change private DNS Zone from the one you provided when creating your Azure Database for PostgreSQL - Flexible Server to another private DNS zone is currently disabled for servers with High Availability feature enabled.
Integration with a custom DNS server
If you're using a custom DNS server, you must use a DNS forwarder to resolve the FQDN of Azure Database for PostgreSQL - Flexible Server. The forwarder IP address should be 126.96.36.199.
The custom DNS server should be inside the virtual network or reachable via the virtual network's DNS server setting. To learn more, see Name resolution that uses your own DNS server.
Private DNS zone and virtual network peering
Private DNS zone settings and virtual network peering are independent of each other. If you want to connect to the flexible server from a client that's provisioned in another virtual network from the same region or a different region, you have to link the private DNS zone with the virtual network. For more information, see Link the virtual network.
Only private DNS zone names that end with
postgres.database.azure.com can be linked. Your DNS zone name cannot be the same as your flexible server(s) otherwise name resolution will fail.
Unsupported virtual network scenarios
Here are some limitations for working with virtual networks:
- A flexible server deployed to a virtual network can't have a public endpoint (or public IP or DNS).
- After a flexible server is deployed to a virtual network and subnet, you can't move it to another virtual network or subnet. You can't move the virtual network into another resource group or subscription.
- Subnet size (address spaces) can't be increased after resources exist in the subnet.
- A flexible server doesn't support Azure Private Link. Instead, it uses virtual network injection to make the flexible server available within a virtual network.
Azure Resource Manager supports ability to lock resources, as a security control. Resource locks are applied to the resource, and are effective across all users and roles. There are two types of resource lock: CanNotDelete and ReadOnly. These lock types can be applied either to a Private DNS zone, or to an individual record set. Applying a lock of either type against Private DNS Zone or individual record set may interfere with ability of Azure Database for PostgreSQL - Flexible Server service to update DNS records and cause issues during important operations on DNS, such as High Availability failover from primary to secondary. For these reasons, please make sure you are not utilizing DNS private zone or record locks when utilizing High Availability features with Azure Database for PostgreSQL - Flexible Server.
Public access (allowed IP addresses)
When you choose the public access method, your flexible server is accessed through a public endpoint over the internet. The public endpoint is a publicly resolvable DNS address. The phrase allowed IP addresses refers to a range of IP addresses that you choose to give permission to access your server. These permissions are called firewall rules.
Choose this networking option if you want the following capabilities:
- Connect from Azure resources that don't support virtual networks.
- Connect from resources outside Azure that are not connected by VPN or ExpressRoute.
- Ensure that the flexible server has a public endpoint that's accessible through the internet.
Characteristics of the public access method include:
- Only the IP addresses that you allow have permission to access your PostgreSQL flexible server. By default, no IP addresses are allowed. You can add IP addresses during server creation or afterward.
- Your PostgreSQL server has a publicly resolvable DNS name.
- Your flexible server is not in one of your Azure virtual networks.
- Network traffic to and from your server does not go over a private network. The traffic uses the general internet pathways.
If a connection attempt comes from an IP address that you haven't allowed through a firewall rule, the originating client will get an error.
Allowing all Azure IP addresses
If a fixed outgoing IP address isn't available for your Azure service, you can consider enabling connections from all IP addresses for Azure datacenters.
The Allow public access from Azure services and resources within Azure option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. When you select this option, make sure that your sign-in and user permissions limit access to only authorized users.
Troubleshooting public access issues
Consider the following points when access to the Azure Database for PostgreSQL service doesn't behave as you expect:
Changes to the allowlist have not taken effect yet. There might be as much as a five-minute delay for changes to the firewall configuration of the Azure Database for PostgreSQL server to take effect.
Authentication failed. If a user doesn't have permissions on the Azure Database for PostgreSQL server or the password is incorrect, the connection to the Azure Database for PostgreSQL server is denied. Creating a firewall setting only provides clients with an opportunity to try connecting to your server. Each client must still provide the necessary security credentials.
Dynamic client IP address is preventing access. If you have an internet connection with dynamic IP addressing and you're having trouble getting through the firewall, try one of the following solutions:
- Ask your internet service provider (ISP) for the IP address range assigned to your client computers that access the Azure Database for PostgreSQL server. Then add the IP address range as a firewall rule.
- Get static IP addressing instead for your client computers, and then add the static IP address as a firewall rule.
Firewall rule is not available for IPv6 format. The firewall rules must be in IPv4 format. If you specify firewall rules in IPv6 format, you'll get a validation error.
Regardless of the networking option that you choose, we recommend that you always use an FQDN as host name when connecting to your flexible server. The server's IP address is not guaranteed to remain static. Using the FQDN will help you avoid making changes to your connection string.
An example that uses an FQDN as a host name is
hostname = servername.postgres.database.azure.com. Where possible, avoid using
hostname = 10.0.0.4 (a private address) or
hostname = 188.8.131.52 (a public address).
TLS and SSL
Azure Database for PostgreSQL - Flexible Server enforces connecting your client applications to the PostgreSQL service by using Transport Layer Security (TLS). TLS is an industry-standard protocol that ensures encrypted network connections between your database server and client applications. TLS is an updated protocol of Secure Sockets Layer (SSL).
Azure Database for PostgreSQL supports TLS 1.2 and later. In RFC 8996, the Internet Engineering Task Force (IETF) explicitly states that TLS 1.0 and TLS 1.1 must not be used. Both protocols were deprecated by the end of 2019.
All incoming connections that use earlier versions of the TLS protocol, such as TLS 1.0 and TLS 1.1, will be denied by default.
SSL and TLS certificates certify that your connection is secured with state-of-the-art encryption protocols. By encrypting your connection on the wire, you prevent unauthorized access to your data while in transit. This is why we strongly recommend using latest versions of TLS to encrypt your connections to Azure Database for PostgreSQL - Flexible Server. Although its not recommended, if needed, you have an option to disable TLS\SSL for connections to Azure Database for PostgreSQL - Flexible Server by updating the require_secure_transport server parameter to OFF. You can also set TLS version by setting ssl_min_protocol_version and ssl_max_protocol_version server parameters.
Submit and view feedback for