Connect to an Azure Private Link enabled PostgreSQL Cluster
Please note that by default, Instaclustr Azure Private Link Clusters are provisioned with RBAC visibility on the Azure Private Link Service. Instaclustr have identified an issue with Microsoft’s implementation of these RBAC controls whereby a user with no RBAC permissions on the Private Link Service can request a connection using the Private Link Service alias. The resulting connection is put into a Pending state and requires manual approval. Instaclustr have contacted Microsoft, and the issue is currently being addressed by their product team.
In the meantime, extra care should be taken to validate the origin of any connection requests requiring manual approval on the Private Link Service if you are using RBAC visibility. If you opt to use the approved subscriptions visibility setting, the correct validation is applied, and you will not be impacted by this issue.
If you have any questions or concerns, please reach out to [email protected]
This page describes the steps that need to be taken to connect PostgreSQL clients to an Azure Private Link enabled PostgreSQL cluster on the Instaclustr platform. Firstly, you need to ensure your users have visibility of the Private Link service. We support controlling visibility through Azure Role-based Access Control (RBAC) or via allowing listing specific subscriptions. Please refer to Azure Private Link for more details. Afterwards, you can create a Private Endpoint to connect to the Private Link service in your own Virtual Network. If Client-to-Cluster Encryption is enabled for the cluster, DNS name of the Private Endpoint should also be included in the certificate using Custom Subject Alternative Name Once these steps are done you can then use the PostgreSQL client to connect to the PostgreSQL Azure Private Link cluster.
Prerequisite
You will need to have a running Azure Private Link enabled cluster on the Instaclustr Platform. Please refer to our support page on Creating a PostgreSQL cluster with Azure Private Link for guidance.
Manage the Azure Private Link service visibility
Before connecting to Azure Private Link service, you need to ensure that your users have the visibility of the Private Link service. By default, when a cluster is provisioned without any subscriptions specified or if all subscriptions were removed, the Private Link Service is restricted by Role-based Access Control only (RBAC). Alternatively, you can add subscriptions to the Private Link service allow list through Instaclustr platform. All visibility and access control would then be restricted by subscriptions with automatic connection approval. Please refer to Azure Private Link for more details.
Set Up the Azure Private Endpoints
- In the Azure Portal, go to your Run In Your Own Account Resource Group → Create → Private Endpoint
- Enter Private Endpoint details
- Choose the Connection Method:
- In the Resource section, choose Connect to an Azure resource resource ID or alias
- Go to Connection Info under your cluster’s name in the Instaclustr Console
- Copy the Private Link Alias from this page
- Go to Connection Info under your cluster’s name in the Instaclustr Console
- Alternatively, you can connect to an Azure resource in my directory
- Choose the subscription that you have added from the above step
- Select Resource type to “Microsoft.Network/privateLinkServices”
- Search for the Resource by Data Centre Id, which you could get from Instaclustr Console
- Navigate to Details page in the menu under your cluster’s name (as highlighted in the below screenshot)
- Copy the Data Centre Id from this page.
- Note: If you connect using an alias with Role-based Access Control, you must manually approve the Private Endpoint connection in the Azure Portal once it is created.
- In the Resource section, choose Connect to an Azure resource resource ID or alias
- In the Virtual Network section, choose the VNet and subnet where you want to deploy the Private Endpoint.
- You can keep the remaining settings as default or customize them based on your needs.
- Click Create to deploy the Private Endpoint.
- Check Connection Status:
- After creation, verify that the connection status is marked as Approved in the Private Endpoint page.
- If you connect using an alias with Role-based Access Control, the private endpoint connection status will be in Pending status and requires manual approval.
- To approve it, in the Azure Portal top search box, copy and paste the Data Centre Id you got from the Instaclustr Console. Click the Private link service in Resources
- In the Private Link service page, navigate to Settings -> Private endpoint connections from the menu on the left side
- From here, you can manually manage private endpoint connections
Additional steps if Client to Cluster Encryption is enabled in the cluster
If Client to Cluster Encryption is enabled on the cluster, you must include the appropriate DNS name as a Custom Subject Alternative Name (SAN) in the service’s SSL/TLS certificate. This ensures that clients can securely connect to the Private Link service using the correct DNS resolution and avoid SSL handshake errors.
Configure DNS settings for Private Endpoint
To resolve the Private Endpoint IP address to the fully qualified domain name (FQDN) of the connection string, please make sure that you have correctly configured DNS settings for Private Endpoint. Below is an example of configuring your DNS settings for private endpoints via private DNS Zone:
- In the Azure Portal, go to Resource Group (where you created the private endpoint) → Create → Private DNS Zone.
- Enter Private DNS Zone details and Create.
- Once it’s created:
- Link it to the Virtual Network
- Navigate to DNS Management -> Virtual Network Links from the menu on the left side, click Add in the page
- In the Add page, select the subscription to be the one you have added above, and the VNet should be the one where the Private Endpoint is in
- Add a Type A DNS record for the Private Endpoint private IP address
- Navigate to DNS Management -> Recordsets, click Add in the page
- Enter the DNS record name
- Select “A – Address record” as Type
- The IP address is from Private Endpoint
- In the Private Endpoint overview page, navigate to Network Interface. From there, you could get the Private IP address for this Private Endpoint
- Link it to the Virtual Network
Set Up the Custom Subject Alternative Names
Currently, Custom Subject Alternative Name for PostgreSQL can only be added via the Terraform provider and Instaclustr API. The Subject Alternative Name here is the DNS name which the Private Endpoint is associated with. For Terraform provider request, subject alternative names must be provided as a list of strings in data centre attributes. If using Instaclustr API provisioning, custom SANs need to be specified as an array of strings in data centre settings.
Note: Updating custom SAN requires a cluster reload. You could reload nodes via Instaclustr Console or Instaclustr API.
To reload nodes via Instaclustr Console, go to Operations page under your cluster’s name.
Click Reload on each of the nodes.
Wait until the status hits RUNNING. It might take 1-2 minutes for the updated certificate to get applied after the operation is finished.
Connect your client to access PostgreSQL cluster with Azure Private Link
Lastly, you can connect to PostgreSQL cluster via command line, C++, Java or Python. Please refer to Connect to a PostgreSQL Cluster about the general steps required. In PostgreSQL cluster with Azure Private Link, there are several things which should be configured in addition to the general steps:
- You are allowed to connect to either leader node or replica nodes using different ports. Port 5432 is for read and write requests, which routes to leader node. Port 5433 is for read only requests, which routes to replica nodes.
- You will need to provide DNS name or Azure Private Endpoint IP address as host name to connect into. If the client to cluster encryption is enabled, you must include the appropriate DNS name as a custom SAN in the service’s SSL/TLS certificate as suggested above. Then use the DNS name as the host name to connect to PostgreSQL cluster.
- To grab the Azure Private Endpoint IP address, go to the corresponding Azure Private Endpoint Overview page. Click the Network Interface.
- In the Network Interface page, copy the Private IPv4 address for the selected Network Interface to be used for connection.
Please contact Instaclustr Support for further assistance.