Private endpoint for Azure Postgres

By default CDP uses service endpoints, but you can select to use private endpoints instead. During environment registration you can optionally select the “Create Private Endpoint” option to use private endpoints instead of using a service endpoint. Currently, only one service or private endpoint is used, for Azure Postgres.

Azure Postgres service can be reached via the following two methods, both of which are designed to allow customers to restrict who connects to the Azure Postgres service:

  • Service endpoints (Created by default)

    • When a service endpoint is used, a database server must have a public IP address. This means the traffic is leaving their virtual network.

    • A service endpoint helps with the possibility of creating a firewall filter to allow connections only from the subnet explicitly linked to a given Postgres instance.

  • Private endpoints (Created instead of a service endpoint only if explicitly enabled)

    • A private endpoint makes it possible to connect to an Azure Postgres server instance over a private IP address from the VNet, always ensuring traffic stays within your VNet hence increasing security.

    • A private endpoint consists of a network interface using a private IP in the VNet, and a DNS service that will resolve the FQDN of a server to the private IP address.

For more general information, see Use Virtual Network service endpoints and rules for Azure Database for PostgreSQL - Single Server and Private Link for Azure Database for PostgreSQL-Single server.

Private DNS options

CDP supports using private endpoints with an existing private DNS zone that can be either pre-created and provided by you, or created by CDP.

When using a private endpoint for Azure Postgres, an Azure private DNS zone is used for the DNS service resolving the FQDN to the private IP. CDP offers two options. The DNS zone can be:

  • Created and managed entirely by CDP (you select “Create new private DNS zone” during environment registration), or

  • Created by you before registering an environment (you pre-create the DNS zone and select it during environment registration). You need to provide access for discovery, validation, and adding and removing DNS A records.

Private endpoints (with either of the two DNS options) can only be used with a single customer-provided resource group. They cannot be used with CDP-created multiple resource groups.

You can only use private endpoints with your own private DNS zone if you specify an existing VNet for the environment. If you choose that CDP creates a new VNet and enables private endpoints, CDP is going to manage the private DNS zone for you.

Depending on whether you prefer to bring your own DNS or have CDP create and manage it, refer to the following documentation: