Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,309 questions
Cannot connect to Azure DB for PostgresSQL flexible from different vnet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 84%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWA%3C/text%3E%3C/svg%3E)
Wilde, Andrew
0
Reputation points
Hi, we cannot connect from an AKS pod running in one VNET to an Azure DB for PostgreSQL flexible server running in a different VNET. We can connect from an AKS pod running in the same VNET. The error is demonstrated by running curl from the pod:
curl -v redactedname.postgres.database.azure.com:5432*
** Trying 10.77.0.212:5432...*
** connect to 10.77.0.212 port 5432 failed: Connection timed out*
We have configured private access to the Azure Database for PostgreSQL flexible server according to the documentation https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private#virtual-network-concepts. Our setup is similar to that shown in diagram (attached) from the article, where the green arrow shows a successful connection from an AKS cluster in the same VNET, whereas the red arrow shows unsuccessful (timed out) connection from AKS cluster in another VNET. The VNETs are peered using a hub and spoke model and we know this is working for other use-cases between the same VNETs, so we do not think this is the problem. The private access to the Flexible Server has been configured according to the documentation link above:
- Delegated subnet
- Subnet configured with CIDR range of /28 to give 16 IP addresses.
- There are no Route Tables associated to the subnet.
- HA is not configured
- The Network Security Group associated to subnet has been configured to allow inbound traffic on from AKS cluster to the server on port 5432
The problem seem to be when the request reaches the subnet of the PostgreSQL server (or the server itself) since the flow logs of the NSG associated to subnet show initial connections being established, but without packets being sent:
"rule": "UserRule_postgres_allow",
"flows": [
{
"mac": "6045BDF210A3",
"flowTuples": [
"1718283991,10.76.0.180,10.77.0.212,57622,5432,T,I,A,B,,,,",
"1718284008,10.76.0.180,10.77.0.212,32802,5432,T,I,A,B,,,,",
"1718284041,10.76.0.180,10.77.0.212,36740,5432,T,I,A,B,,,,"
]
}
]
}
Any help with this would be greatly appreciated.
Thanks,
Andy.
{count} votes
-
Oury Ba-MSFT 18,026 Reputation points Microsoft Employee2024-07-09T20:01:13.7833333+00:00 @Wilde, Andrew Thank you for reaching out and sorry about the issue you are facing.
Seems like you’re facing connectivity issues when trying to connect from an AKS pod in one VNET to an Azure Database for PostgreSQL flexible server in a different VNET.
If they are using a custom DNS server, you will need to set up a conditional DNS forwarder as mentioned below.
Ensure that the DNS configuration is correct. If you are using a custom DNS, you will need to set up a conditional DNS forwarder to forward the PostgreSQL domain to Azure DNS for each DNS server. This is necessary because the flexible server VNET integration only supports Azure DNS server.
-
Wilde, Andrew 0 Reputation points
2024-07-10T13:19:27.91+00:00 Thanks for the response. We are not using a custom DNS and if I do nslookup to the server FQDN then an IP address is found, so I don't think this is a DNS issue. Also the NSG flow logs seem to indicate traffic reaching at least the subnet containing the Azure Database for PostgreSQL flexible server. This is why I think the problem is with subnet or maybe the server itself.
-
Oury Ba-MSFT 18,026 Reputation points Microsoft Employee
2024-07-10T18:50:34.8566667+00:00 Thank you for getting back. It will be difficult to pinpoint the exact cause of the issue without looking into your environment. I would suggest opening a support ticket so we can further investigate.
Regards,
Oury
Sign in to comment