Connecting from Azure
Three different methods enable you to connect to your cluster from your application's virtual network in Azure. Each method offers different levels of accessibility and security. We recommend the Azure Private Endpoint method and it is the most commonly used.
Azure Private Endpoint (recommended)
While other methods for connecting your cluster from your application's virtual network in Azure are available, we strongly recommend using the Azure Private Endpoint method.
Azure Private Endpoint is a network interface that securely connects a private IP address from your Azure Virtual Network (VNet) to an external service. You grant access only to a single cluster instead of the entire BigAnimal resource virtual network, thus ensuring maximum network isolation. Other advantages include:
- You need to configure the Private Link only once. Then you can use multiple Private Endpoints to connect applications from many different VNets.
- There's no risk of IP address conflicts.
Private Endpoints are the same mechanism used by first-party Azure services such as CosmosDB for private VNet connectivity. For more information, see What is an Azure Private Endpoint?. Private Links (required by Private Endpoints) are not free, however. See Azure Private Link pricing for information on the costs associated with Private Links (required by Private Endpoints).
Note
If you setup a private endpoint and want to change to a public network, you must remove the private endpoint resources before making the change.
Private Endpoint example
This example shows how to connect your cluster using Azure Private Endpoint.
Assume that your cluster is on a subscription called development
and is being accessed from a Linux client VM on another subscription called test
with the following properties:
- Cluster:
- Subscription:
development
- Cluster ID:
p-mckwlbakq5
- Account ID:
brcxzr08qr7rbei1
- Organization's domain name:
biganimal.io
- Subscription:
- Linux client VM called
vm-client
:- Subscription:
test
- Resource group:
rg-client
- Virtual network:
vnet-client
- Virtual network subnet:
snet-client
- Subscription:
Prerequisites
To walk through an example in your own environment, you need:
Your cluster URL. You can find the URL in the Connect tab of your cluster instance in the BigAnimal portal.
The IP address of your cluster. You can find the IP address of your cluster using the following command:
dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io
Output10.240.1.218
A Postgresql client, such as psql, installed on your client VM.
Step 1: Create an Azure Private Link service for your cluster
In this example, you create an Azure Private Link service in your cluster's resource group. You must perform this procedure for every cluster that you want to connect to in Azure.
Get the resource group details from the Azure CLI or the Azure portal and note the resource group name. For example, if the cluster's virtual network is
vnet-japaneast
, use the following command:az network vnet list --query "[?name==\`vnet-japaneast\`].resourceGroup" -o json
On the upper-left part of the page in the Azure portal, select Create a resource.
In the Search the Marketplace box, search for Private Link.
Select Create.
Enter the details for the Azure Private Link. Use a unique name for the Azure Private Link.
For example,
p-mckwlbakq5-service-private-link
, wherep-mckwlbakq5
is the cluster ID.Enter the resource group name from step 1.
In the Outbound settings page, select the
kubernetes-internal
load balancer and select the IP address of your cluster in the Load balancer frontend IP address field.You can get the IP address of your cluster with the following command:
dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io
Output10.240.1.218
On the Access security page, configure the level of access for the private link service. See control service exposure for details.
Note
If the required access is not provided to the account or subscription accessing the cluster, you must manually approve the connection request from the Pending connections page in Private Link Center.
After the private link service is created, note its alias. The alias is the unique ID for your private service, which you can share with the service consumers. Obtain the alias either from the Azure portal or by using the following CLI command:
az network private-link-service list --query "[?name=='p-mckwlbakq5-service-private-link'].alias" -o tsv
Outputp-mckwlbakq5-service-private-link.48f26b42-45dc-4e80-8e3d-307d58d7d274.japaneast.azure.privatelinkservice
Select Review + Create.
Select Create.
Step 2: Create an Azure Private Endpoint in each client virtual network
In this example, you create an Azure Private Endpoint in your client VM's virtual network. After you create the private endpoint, you can use its private IP address to access the cluster. You must perform this procedure for every virtual network you want to connect from.
On the upper-left side of the screen in the Azure portal, select Create a resource > Networking > Private Link, or in the search box enter Private Link.
Select Create.
In Private Link Center, select Private endpoints in the menu on the left.
In Private endpoints, select Add.
Enter the details for the private endpoint as shown in the following image. Use a unique name for the private endpoint.
For example, enter
vnet-client-private-pg-service
, wherevnet-client
is the client VNet ID.Note
In a later step, you need the private endpoint's name to get its private IP address.
Connect the private endpoint to the private link service that you created by entering its alias.
In the Configuration page, enter the client VM's Virtual Network
vnet-client
.Select Review + Create.
Select Create.
Note
If the private endpoint's status appears as Pending, your account or subscription might not be authorized to access the private link service.
To resolve this issue, the connection must be manually approved from the Pending connections page in Private Link Center, from the BigAnimal Azure subscription.
You have successfully built a tunnel between your client VM's virtual network and the cluster. You can now access the cluster from the private endpoint in your client VM. The private endpoint's private IP address is associated with an independent virtual network NIC. Get the private endpoint's private IP address using the following commands:
NICID=$(az network private-endpoint show -n vnet-client-private-pg-service -g rg-client --query "networkInterfaces[0].id" -o tsv) az network nic show -n ${NICID##*/} -g rg-client --query "ipConfigurations[0].privateIpAddress" -o tsv
Output100.64.111.5
From the client VM
vm-client
, access the cluster by using the private IP address:psql -h 100.64.111.5 -U edb_admin
OutputPassword for user edb_admin : psql (13.4 (Ubuntu 13.4-1.pgdg20.04+1), server 13.4.8 (Debian 13.4.8-1+deb10)) WARNING : psql major version 13, server major version 13. Some psql features might not work. SSL connection (protocol : TLSV1.3, cipher : TLS_AES_256_GCM_SHA384, bits : 256, compression : off) Type "help" for help. edb_admin=>
Step 3: Create an Azure Private DNS Zone for the private endpoint
EDB strongly recommends using an Azure Private DNS Zone with the private endpoint to establish a connection with a cluster. You can't validate TLS certificates using verify-full
when connecting to an IP address.
With a Private DNS Zone, you configure a DNS entry for your cluster's public hostname, and Azure DNS ensures that all requests to that domain name from your VNet resolve to the private endpoint's IP address instead of the cluster's IP address.
Note
You need to create a single Azure Private DNS Zone for each VNet, even if you are connecting to multiple clusters. If you've already created a DNS Zone for this VNet, you can skip to step 6.
In the Azure portal search for Private DNS Zones.
Select Private DNS zone.
Select Create private DNS zone.
Create a private DNS zone using your organization's domain name as an apex domain. The organization's domain name must be unique to your BigAnimal organization. For example, use
biganimal.io
.Select the Virtual network link on the Private DNS Zone page of
brcxzr08qr7rbei1.biganimal.io
and link the private DNS Zone to the client VM's virtual networkvnet-client
.Add a record for the private endpoint. The address is a private IP address—the one created with the private endpoint in the previous step.
You can now access your cluster with this private domain name.
dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io psql -h p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io -U edb_admin
Output10.240.1.123 Password for user edb_admin: psql (13.4 (Ubuntu 13.4-1.pgdg28.84+1), server 13.4.8 (Debian 13.4.8-1+deb10)) WARNING : psql major version 13, server major version 13. Some psql features might not work. SSL connection (protocol : TLSV1.3cipherTLS_AES_256_GCM_SHA384, bits : 256, compression : off) Type "help" for help. edb_admin=>
Tip
You might need to flush your local DNS cache to resolve your domain name to the new private IP address after adding the private endpoint. For example, on Ubuntu, run the following command:
sudo systemd-resolve --flush-caches