Bringing your own private DNS
Review this documentation if you are planning to use a private setup for Azure Postgres with your own private DNS.
Requirements and limitations
The following limitations apply when using your own private DNS:
- Only Azure’s private DNS zone is supported. Using an on-prem DNS is not supported.
- The private DNS zone provided to Cloudera must have
the name
privatelink.postgres.database.azure.com
in case of Flexible Server with Private Link and the name of the private DNS zone must ending withpostgres.database.azure.com
in case of Flexible Server with Delegated Subnet. - The private DNS zone must be in a subscription that is accessible to the service principal used by the Cloudera app-based credential; that is, the subscription where the private DNS zone is created must be in the same tenant where the service principal is located.
Prerequisites
When bringing your own private DNS, you should meet the following prerequisites:
Create a private DNS zone and link it to your VNet
If you choose to provide your own Azure private DNS zone then you should:
- Create a private DNS zone with a name ending with the name
privatelink.postgres.database.azure.com
in case of Flexible Server with Private Link or with a name ending withpostgres.database.azure.com
in case of Flexible Server with delegated subnet in any subscription accessible to the service principal used by the Cloudera app-based credential; that is, the subscription where the private DNS zone is created must be in the same tenant where the service principal is located.- In case of Flexible Server with Private Link, use the following Azure CLI command to
create a private DNS
zone:
az network private-dns zone create \ --name privatelink.postgres.database.azure.com \ --resource-group <YOUR_DNS_RESOURCE_GROUP> \ --subscription <YOUR_SUBSCRIPTION_FOR_DNS>
- In case of Flexible Server with delegated subnet, use the following Azure CLI command to
create a private DNS
zone:
az network private-dns zone create \ --name flexible.postgres.database.azure.com \ --resource-group <YOUR_DNS_RESOURCE_GROUP> \ --subscription <YOUR_SUBSCRIPTION_FOR_DNS>
- In case of Flexible Server with Private Link, use the following Azure CLI command to
create a private DNS
zone:
- Link it to the VNet that you are planning to use for the Cloudera environment. You can do this using the following Azure
CLI command:
az network private-dns link vnet create \ --name <DESIRED_LINK_NAME> \ --resource-group <YOUR_VNET_RESOURCE_GROUP> \ --zone-name <PRIVATE_DNS_ZONE_NAME> \ --virtual-network <YOUR_VNET_RESOURCE_ID> \ --subscription <YOUR_VNET_SUBSCRIPTION>
Ensure that Cloudera has adequate permissions
Ensure that the role that you are using for the Azure credential has the permissions mentioned in Role definition 2: Allows Cloudera to use only a single existing resource group and create private endpoints.
Additionally, if your DNS zone is outside of the single resource group that you are planning to provide to Cloudera, the following additional permissions are required for the service principal to be able to discover, validate, and use the DNS zone (add and remove A records). These additional permissions need to be included in a separate role definition and assigned separately:
{
"Name": "Cloudera Management Console Azure Operator for Using Private DNS Zones",
"IsCustom": true,
"Description": "Can list, validate and use private DNS zones",
"Actions": [
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/read",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read"
],
"NotActions": [],
"DataActions": [
],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{SUBSCRIPTION-ID}/resourcegroups/{RESOURCE-GROUP-NAME}"
]
}
The placeholders in bold must be replaced with actual values:
-
{SUBSCRIPTION-ID}
- The ID of the subscription where the DNS zone is located. -
{RESOURCE-GROUP-NAME}
- The name of the resource group where the DNS zone is located.