Connecting from Azure
Three different methods enable you to connect to your cluster from your application's virtual network in Azure. Each method offers different levels of accessibility and security. We recommend the Azure private endpoint method. It's the most commonly used.
Azure private endpoint (recommended)
While other methods for connecting your cluster from your application's virtual network in Azure are available, we strongly recommend using the Azure private endpoint method.
Azure private endpoint is a network interface that securely connects a private IP address from your Azure virtual network (VNet) to an external service. You grant access only to a single cluster instead of the entire BigAnimal resource virtual network, thus ensuring maximum network isolation. Other advantages include:
- You need to configure the Private Link only once. Then you can use multiple private endpoints to connect applications from many different VNets.
- There's no risk of IP address conflicts.
Private endpoints are the same mechanism used by first-party Azure services such as CosmosDB for private VNet connectivity. For more information, see What is a private endpoint?. Private Links (required by private endpoints) aren't free, however. See Azure Private Link pricing for information on the costs associated with Private Links (required by private endpoints).
If you set up a private endpoint and want to change to a public network, you must remove the private endpoint resources before making the change.
Private endpoint example
This example shows how to connect your cluster using Azure private endpoint.
Assume that your cluster is on a subscription called
development and is being accessed from a Linux client VM on another subscription called
test. It has the following properties:
- Cluster ID:
- Account ID:
- Project ID:
- Organization's domain name:
- Linux client VM called
- Resource group:
- Virtual network:
- Virtual network subnet:
To walk through an example in your own environment, you need:
Your cluster URL. You can find the URL in the Connect tab of your cluster instance in the BigAnimal portal.
The IP address of your cluster. You can find the IP address of your cluster using the following command:
A Postgres client, such as psql, installed on your client VM.
BigAnimal automatically provisions an Azure Private Link service for every private Postgres cluster. You can easily find this managed Private Link service by looking for the one that has the Cluster ID in its name, like
In this example, you create an Azure private endpoint in your client VM's virtual network. After you create the private endpoint, you can use its private IP address to access the Postgres cluster. You must perform this procedure for every virtual network you want to connect from.
Step 1: Create an Azure private endpoint
Create an Azure private endpoint in each client virtual network that needs to connect to your BigAnimal cluster. You can create the private endpoint using either the Azure portal or the Azure CLI.
Using the Azure portal
If you prefer to create the private endpoint using the Azure portal, on the upper-left side of the screen, select Create a resource > Networking > Private Link. Alternatively. in the search box enter
In Private Link Center, select Private endpoints in the menu on the left.
In Private endpoints, select Add.
Enter the details for the private endpoint in the Basics tab:
Subscription — Select the subscription where your vm-client resides. In this case, it's
Resource group — Select a resource group in the same region where your vm-client resides. This exanple uses
Name — Use a unique name for the private endpoint. For example, enter
vnet-clientis the client VNet ID.
Network Interface Name — This takes the name of the private endpoint and appends it with
Region — The private endpoint must be in the same region as your VNet. In this case, it's
(Asia Pacific) Japan East.
In a later step, you need the private endpoint's name to get its private IP address.
On the Resource tab, connect the private endpoint to the Private Link service that you created by entering the following details:
Connection Method — Select Connect to an Azure resource in my directory.
Subscription — Select the subscription in which the target BigAnimal Postgres cluster resides. In this example, it's
Resource type — Select Microsoft.Network/privateLinkServices. This is the type of resource you want to connect to using this private endpoint.
Resource — Select the Private Link service resource whose name starts with the cluster ID. In this case, it's p-mckwlbakq5-rw-internal-lb.
BigAnimal creates the Private Link service in a resource group managed by Azure Kubernetes Service in the corresponding project/region. Its name follows this pattern:
MC_dp-PROJECT_ID-REGION-counter_REGION. In this example, it's
On the Virtual Network tab, enter the client VM’s Virtual Network details:
Virtual Network — Enter the VM client’s virtual network. In this case, it's
Subnet — To deploy the private endpoint, you must select a virtual network subnet to receive the private IP address assignment. In this example, the snet client subnet was already defined and will be assigned the private IP address. However, if a subnet isn't yet defined, you can select the default subnet, and a private IP address will be assigned.
Private IP Configuration — This option defaults to Dynamically allocate IP address. This example uses the default.
Application security group — You can leave this blank, or you can create or assign an Application Security Group. In this example, it's blank.
You can either skip or configure both DNS and Tags as you need and then go to Review + Create.
Proceed to Accessing the cluster.
Using the Azure CLI
If you prefer to create the private endpoint using the Azure CLI, either use your local terminal with an Azure CLI profile already configured or open a new Azure Cloud Shell using the Azure portal.
Use the following Azure CLI command to create the private endpoint by setting these parameters:
connection-nameneeds to be the Private Link service name, like
nameis the private endpoint name, like
private-connection-resource-idis the Azure Resource Manager path of the Private Link Service.
resource-groupis the resource group in which to create the private endpoint.
subnetis the Azure VNet subnet in which to create the private endpoint.
vnet-nameis the Azure VNet name in which to create the private endpoint.
subscriptionis the Azure subscription in which to create the private endpoint.
Accessing the cluster
You have successfully built a tunnel between your client VM's virtual network and the cluster. You can now access the cluster from the private endpoint in your client VM. The private endpoint's private IP address is associated with an independent virtual network NIC. Get the private endpoint's private IP address using the following commands:
From the client VM
vm-client, access the cluster by using the private IP address:
Step 2: Create an Azure Private DNS Zone for the private endpoint
EDB strongly recommends using a private Azure DNS zone with the private endpoint to establish a connection with a cluster. You can't validate TLS certificates using
verify-full when connecting to an IP address.
With a private DNS zone, you configure a DNS entry for your cluster's public hostname. Azure DNS ensures that all requests to that domain name from your VNet resolve to the private endpoint's IP address instead of the cluster's IP address.
You need to create a single private Azure DNS zone for each VNet, even if you're connecting to multiple clusters. If you already created a DNS zone for this VNet, you can skip to step 6.
In the Azure portal, search for
Private DNS Zones.
Select Private DNS zone.
Select Create private DNS zone.
Create a private DNS zone using your organization's domain name as an apex domain. The organization's domain name must be unique to your BigAnimal organization. For example, use
Select the Virtual network link on the Private DNS Zone page of
brcxzr08qr7rbei1.biganimal.io, and link the private DNS Zone to the client VM's virtual network
Add a record for the private endpoint. The address is a private IP address, the one created with the private endpoint in the previous step.
You can now access your cluster with this private domain name.
You might need to flush your local DNS cache to resolve your domain name to the new private IP address after adding the private endpoint.