Connecting from Azure

Three different methods enable you to connect to your cluster from your application's virtual network in Azure. Each method offers different levels of accessibility and security. We recommend the Azure Private Endpoint method and it is the most commonly used.

While other methods for connecting your cluster from your application's virtual network in Azure are available, we strongly recommend using the Azure Private Endpoint method.

Azure Private Endpoint is a network interface that securely connects a private IP address from your Azure Virtual Network (VNet) to an external service. You grant access only to a single cluster instead of the entire BigAnimal resource virtual network, thus ensuring maximum network isolation. Other advantages include:

  • You need to configure the Private Link only once. Then you can use multiple Private Endpoints to connect applications from many different VNets.
  • There's no risk of IP address conflicts.

Private Endpoints are the same mechanism used by first-party Azure services such as CosmosDB for private VNet connectivity. For more information, see What is an Azure Private Endpoint?. Private Links (required by Private Endpoints) are not free, however. See Azure Private Link pricing for information on the costs associated with Private Links (required by Private Endpoints).

Note

If you setup a private endpoint and want to change to a public network, you must remove the private endpoint resources before making the change.

Private Endpoint example

This example shows how to connect your cluster using Azure Private Endpoint.

Assume that your cluster is on a subscription called development and is being accessed from a Linux client VM on another subscription called test with the following properties:

  • Cluster:
    • Subscription: development
    • Cluster ID: p-mckwlbakq5
    • Account ID: brcxzr08qr7rbei1
    • Organization's domain name: biganimal.io
  • Linux client VM called vm-client:
    • Subscription: test
    • Resource group: rg-client
    • Virtual network: vnet-client
    • Virtual network subnet: snet-client

Prerequisites

To walk through an example in your own environment, you need:

  • Your cluster URL. You can find the URL in the Connect tab of your cluster instance in the BigAnimal portal.

  • The IP address of your cluster. You can find the IP address of your cluster using the following command:

    dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io
    Output
    10.240.1.218
  • A Postgresql client, such as psql, installed on your client VM.

In this example, you create an Azure Private Link service in your cluster's resource group. You must perform this procedure for every cluster that you want to connect to in Azure.

  1. Get the resource group details from the Azure CLI or the Azure portal and note the resource group name. For example, if the cluster's virtual network is vnet-japaneast, use the following command:

    az network vnet list --query "[?name==\`vnet-japaneast\`].resourceGroup" -o json
    
  2. On the upper-left part of the page in the Azure portal, select Create a resource.

  3. In the Search the Marketplace box, search for Private Link.

  4. Select Create.

  5. Enter the details for the Azure Private Link. Use a unique name for the Azure Private Link.

    For example, p-mckwlbakq5-service-private-link, where p-mckwlbakq5 is the cluster ID.

  6. Enter the resource group name from step 1.

  7. In the Outbound settings page, select the kubernetes-internal load balancer and select the IP address of your cluster in the Load balancer frontend IP address field.

    You can get the IP address of your cluster with the following command:

    dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io
    Output
    10.240.1.218

    Outbound settings

  8. On the Access security page, configure the level of access for the private link service. See control service exposure for details.

    image21

    Note

    If the required access is not provided to the account or subscription accessing the cluster, you must manually approve the connection request from the Pending connections page in Private Link Center.

  1. After the private link service is created, note its alias. The alias is the unique ID for your private service, which you can share with the service consumers. Obtain the alias either from the Azure portal or by using the following CLI command:

    az network private-link-service list --query "[?name=='p-mckwlbakq5-service-private-link'].alias" -o tsv
    Output
    p-mckwlbakq5-service-private-link.48f26b42-45dc-4e80-8e3d-307d58d7d274.japaneast.azure.privatelinkservice
  2. Select Review + Create.

  3. Select Create.

Step 2: Create an Azure Private Endpoint in each client virtual network

In this example, you create an Azure Private Endpoint in your client VM's virtual network. After you create the private endpoint, you can use its private IP address to access the cluster. You must perform this procedure for every virtual network you want to connect from.

  1. On the upper-left side of the screen in the Azure portal, select Create a resource > Networking > Private Link, or in the search box enter Private Link.

  2. Select Create.

  3. In Private Link Center, select Private endpoints in the menu on the left.

  4. In Private endpoints, select Add.

  5. Enter the details for the private endpoint as shown in the following image. Use a unique name for the private endpoint.

    For example, enter vnet-client-private-pg-service, where vnet-client is the client VNet ID.

    Note

    In a later step, you need the private endpoint's name to get its private IP address.

    image12

  6. Connect the private endpoint to the private link service that you created by entering its alias.

  7. In the Configuration page, enter the client VM's Virtual Network vnet-client.

  8. Select Review + Create.

  9. Select Create.

    Note

    If the private endpoint's status appears as Pending, your account or subscription might not be authorized to access the private link service.

    To resolve this issue, the connection must be manually approved from the Pending connections page in Private Link Center, from the BigAnimal Azure subscription.

    image3

  1. You have successfully built a tunnel between your client VM's virtual network and the cluster. You can now access the cluster from the private endpoint in your client VM. The private endpoint's private IP address is associated with an independent virtual network NIC. Get the private endpoint's private IP address using the following commands:

    NICID=$(az network private-endpoint show -n vnet-client-private-pg-service -g rg-client --query "networkInterfaces[0].id" -o tsv)
    az network nic show -n ${NICID##*/} -g rg-client --query "ipConfigurations[0].privateIpAddress" -o tsv
    Output
    100.64.111.5
  2. From the client VM vm-client, access the cluster by using the private IP address:

    psql -h 100.64.111.5 -U edb_admin
    Output
    Password for user edb_admin : 
    
    psql (13.4 (Ubuntu 13.4-1.pgdg20.04+1), server 13.4.8 (Debian 13.4.8-1+deb10)) 
    WARNING : psql major version 13, server major version 13. Some psql features might not work. 
    SSL connection (protocol : TLSV1.3, cipher : TLS_AES_256_GCM_SHA384, bits : 256, compression : off) Type "help" for help. 
    
    edb_admin=>
    

Step 3: Create an Azure Private DNS Zone for the private endpoint

EDB strongly recommends using an Azure Private DNS Zone with the private endpoint to establish a connection with a cluster. You can't validate TLS certificates using verify-full when connecting to an IP address.

With a Private DNS Zone, you configure a DNS entry for your cluster's public hostname, and Azure DNS ensures that all requests to that domain name from your VNet resolve to the private endpoint's IP address instead of the cluster's IP address.

Note

You need to create a single Azure Private DNS Zone for each VNet, even if you are connecting to multiple clusters. If you've already created a DNS Zone for this VNet, you can skip to step 6.

  1. In the Azure portal search for Private DNS Zones.

  2. Select Private DNS zone.

  3. Select Create private DNS zone.

  4. Create a private DNS zone using your organization's domain name as an apex domain. The organization's domain name must be unique to your BigAnimal organization. For example, use biganimal.io.

    image6

  5. Select the Virtual network link on the Private DNS Zone page of brcxzr08qr7rbei1.biganimal.io and link the private DNS Zone to the client VM's virtual network vnet-client.

    image10

  6. Add a record for the private endpoint. The address is a private IP address—the one created with the private endpoint in the previous step.

  7. You can now access your cluster with this private domain name.

    dig +short p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io 
    psql -h p-mckwlbakq5.brcxzr08qr7rbei1.biganimal.io -U edb_admin
    Output
    10.240.1.123 
    Password for user edb_admin: 
    
    psql (13.4 (Ubuntu 13.4-1.pgdg28.84+1), server 13.4.8 (Debian 13.4.8-1+deb10)) 
    WARNING : psql major version 13, server major version 13. Some psql features might not work. 
    SSL connection (protocol : TLSV1.3cipherTLS_AES_256_GCM_SHA384, bits : 256, compression : off) Type "help" for help. 
    
    edb_admin=>
    
    Tip

    You might need to flush your local DNS cache to resolve your domain name to the new private IP address after adding the private endpoint. For example, on Ubuntu, run the following command:

    sudo systemd-resolve --flush-caches

Other methods