Encrypted connectivity using Transport Layer Security in Azure Database for PostgreSQL - Flexible Server
APPLIES TO: Azure Database for PostgreSQL - Flexible Server
Azure Database for PostgreSQL flexible server supports connecting your client applications to Azure Database for PostgreSQL flexible server using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). TLS is an industry standard protocol that ensures encrypted network connections between your database server and client applications, allowing you to adhere to compliance requirements.
Azure Database for PostgreSQL flexible server supports encrypted connections using Transport Layer Security (TLS 1.2+) and all incoming connections with TLS 1.0 and TLS 1.1 will be denied. For all Azure Database for PostgreSQL flexible server instances enforcement of TLS connections is enabled.
Note
By default, secured connectivity between the client and the server is enforced. If you want to disable TLS/SSL for connecting to Azure Database for PostgreSQL flexible server, you can change the server parameter require_secure_transport to OFF. You can also set TLS version by setting ssl_max_protocol_version server parameters.
Applications that require certificate verification for TLS/SSL connectivity
In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. For more information on downloading root CA certificates you can visit this document. Detailed information on updating client applications certificate stores with new Root CA certificates has been documented in this how-to document.
Note
Azure Database for PostgreSQL - Flexible server doesn't support custom SSL\TLS certificates at this time.
Connect using psql
If you created your Azure Database for PostgreSQL flexible server instance with Private access (VNet Integration), you will need to connect to your server from a resource within the same VNet as your server. You can create a virtual machine and add it to the VNet created with your Azure Database for PostgreSQL flexible server instance.
If you created your Azure Database for PostgreSQL flexible server instance with Public access (allowed IP addresses), you can add your local IP address to the list of firewall rules on your server.
The following example shows how to connect to your server using the psql command-line interface. Use the sslmode=verify-full
connection string setting to enforce TLS/SSL certificate verification. Pass the local certificate file path to the sslrootcert
parameter.
psql "sslmode=verify-full sslrootcert=c:\\ssl\DigiCertGlobalRootCA.crt.pem host=mydemoserver.postgres.database.azure.com dbname=postgres user=myadmin"
Note
Confirm that the value passed to sslrootcert matches the file path for the certificate you saved.
Ensure your application or framework supports TLS connections
Some application frameworks that use PostgreSQL for their database services do not enable TLS by default during installation. Your Azure Database for PostgreSQL flexible server instance enforces TLS connections but if the application is not configured for TLS, the application may fail to connect to your database server. Consult your application's documentation to learn how to enable TLS connections.