Private setup for Azure Flexible Server
When CDP creates an Azure Database for PostgreSQL - Flexible Server instance, you must choose one of the following networking options: Private access (VNet integration) or Public access (allowed IP addresses). Public access is used by default.
For more general information, see Networking overview for Azure Database for PostgreSQL - Flexible Server with private access (VNET Integration) and Networking overview for Azure Database for PostgreSQL - Flexible Server with public access (allowed IP addresses).
If you would like to use Flexible Server in private service mode, you should delegate a subnet to it as specified here. When deployed in private service mode (without public endpoints), Flexible Server instances need to be deployed in a “delegated subnet” within the VNet.
As mentioned in Azure documentation, to be able to utilize private
access with VNet integration, it is a prerequisite to delegate a subnet to
Microsoft.DBforPostgreSQL/flexibleServers. This delegation means that only
Azure Database for PostgreSQL Flexible Servers can use that subnet. No other Azure resource
types can be in the delegated subnet.
You need to create such a delegated subnet and provide it to CDP during environment registration. This delegated subnet will be used by Azure Database for PostgreSQL instances. The delegated subnet provided during environment registration will be used by default for all Azure Database for PostgreSQL instances used in CDP.
Creating a delegated subnet
Microsoft.Storage service endpoint is set automatically
during deployment by Azure.
After the subnet has successfully been delegated, don’t
forget to record the full subnet ID or the name of the subnet for later use as an input
(referred to as
<delegated-subnet-id>). For example:
Private DNS options
CDP supports using VNet integration based private setup with an existing Private DNS zone that can be either pre-created and provided by you, or created by CDP.
When using a private setup for Azure Postgres, an Azure private DNS zone is used for the DNS service resolving the FQDN to the private IP. CDP offers two options. The DNS zone can be:
Created and managed entirely by CDP (You select “Create new private DNS zone” during environment registration), or
Created by you before registering an environment (You pre-create the DNS zone and select it during environment registration). You need to provide access for discovery, validation, and adding and removing DNS A records.
Private setup (with either of the two DNS options) can only be used with a single customer-provided resource group. They cannot be used with CDP-created multiple resource groups.
Depending on whether you prefer to bring your own DNS or have CDP create and manage it, refer to the following documentation: