Bringing your own private DNS

Review this documentation if you are planning to use a private setup for Azure Postgres with your own private DNS.

Requirements and limitations

The following limitations apply when using your own private DNS:

  • Only Azure’s private DNS zone is supported. Using an on-prem DNS is not supported.
  • The private DNS zone provided to CDP must have the name privatelink.postgres.database.azure.com in case of Flexible Server with Private Link and the name of the private DNS zone must ending with postgres.database.azure.com in case of Flexible Server with Delegated Subnet.
  • The private DNS zone must be in a subscription that is accessible to the service principal used by the CDP app-based credential; that is, the subscription where the private DNS zone is created must be in the same tenant where the service principal is located.

Prerequisites

When bringing your own private DNS, you should meet the following prerequisites:

Create a private DNS zone and link it to your VNet

If you choose to provide your own Azure private DNS zone then you should:

  1. Create a private DNS zone with a name ending with the name privatelink.postgres.database.azure.com in case of Flexible Server with Private Link or with a name ending with postgres.database.azure.com in case of Flexible Server with delegated subnet in any subscription accessible to the service principal used by the CDP app-based credential; that is, the subscription where the private DNS zone is created must be in the same tenant where the service principal is located.
    • In case of Flexible Server with Private Link, use the following Azure CLI command to create a private DNS zone:
      az network private-dns zone create \ 
       --name privatelink.postgres.database.azure.com \
       --resource-group <YOUR_DNS_RESOURCE_GROUP> \
       --subscription <YOUR_SUBSCRIPTION_FOR_DNS>
    • In case of Flexible Server with delegated subnet, use the following Azure CLI command to create a private DNS zone:
      az network private-dns zone create \ 
       --name flexible.postgres.database.azure.com \
       --resource-group <YOUR_DNS_RESOURCE_GROUP> \
       --subscription <YOUR_SUBSCRIPTION_FOR_DNS>
  2. Link it to the VNet that you are planning to use for the CDP environment. You can do this using the following Azure CLI command:
    az network private-dns link vnet create \
     --name <DESIRED_LINK_NAME> \
     --resource-group <YOUR_VNET_RESOURCE_GROUP> \
     --zone-name <PRIVATE_DNS_ZONE_NAME> \
     --virtual-network <YOUR_VNET_RESOURCE_ID> \
     --subscription <YOUR_VNET_SUBSCRIPTION>

Ensure that CDP has adequate permissions

Ensure that the role that you are using for the Azure credential has the permissions mentioned in Role definition 2: Allows CDP to use only a single existing resource group and create private endpoints.

Additionally, if your DNS zone is outside of the single resource group that you are planning to provide to CDP, the following additional permissions are required for the service principal to be able to discover, validate, and use the DNS zone (add and remove A records). These additional permissions need to be included in a separate role definition and assigned separately:

{
 "Name": "Cloudera Management Console Azure Operator for Using Private DNS Zones",
 "IsCustom": true,
 "Description": "Can list, validate and use private DNS zones",
 "Actions": [
 "Microsoft.Network/privateDnsZones/join/action",
 "Microsoft.Network/privateDnsZones/read",
 "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read"
 ],
 "NotActions": [],
 "DataActions": [
 ],
 "NotDataActions": [],
 "AssignableScopes": [
 "/subscriptions/{SUBSCRIPTION-ID}/resourcegroups/{RESOURCE-GROUP-NAME}"
 ]
 }

The placeholders in bold must be replaced with actual values:

  • {SUBSCRIPTION-ID} - The ID of the subscription where the DNS zone is located.

  • {RESOURCE-GROUP-NAME} - The name of the resource group where the DNS zone is located.