Enabling a private endpoint for Azure Postgres

By default CDP uses service endpoints, but you can select to use private endpoints instead. During environment registration you can optionally select the “Create Private Endpoint” option to use private endpoints instead of using a service endpoint. Currently, only one service or private endpoint is used, for Azure Postgres.

The endpoint type - either service or private endpoints - and whether to use your own private DNS zones or have CDP create them are decided at environment creation. All services capable of that endpoint type will use the selected endpoint type - this currently means only the Postgres server.

By default service endpoints are used, and in order to use private endpoints the user has to explicitly enable the “Create Private Endpoints“ option from either the CDP UI or CDP CLI. There is no option to not use either. Once you have turned on private endpoints then you can specify your own private DNS zone if you wish.

Prerequisites

You should also decide if you would like to use your own Azure private DNS zone or have CDP create an Azure private DNS zone for you, and meet the related prerequisites. Review the requirements described in Private endpoint for Azure Postgres.

Enabling private endpoints

You can enable private endpoints and select to use a CDP-managed Azure private DNS zone or your own Azure private DNS zone during Azure environment registration in the Management Console.

Required role: EnvironmentCreator

Steps

CDP UI
CDP CLI

When registering an environment specify the following:

In the Resource group section, select to use your pre-created resource group.
In the Network section of the register environment wizard, enable the "Create Private Endpoints" option.
A new drop down option appears. You have two options:
1. Select an existing private DNS zone.
2. If you would like CDP to create the private DNS zone, select “Create new private DNS zone”.
Provide other Azure environment parameters as usual and complete environment registration.

The parameter createPrivateEndpoints defines that Azure Postgres will be configured with a Private Endpoint and a Private DNS Zone. When this option is disabled, Azure Service Endpoints are created. This option is disabled by default, so Azure Service Endpoints are used by default.

This is how to specify this via CDP CLI when running the

cdp environments
              create-azure-environment

command:

--create-private-endpoints
--no-create-private-endpoints

If you would like to specify your own Azure private DNS zone, you should additionally include the databasePrivateDnsZoneId as part of existing-network-params:

--existing-network-params networkId=<NETWORK_ID>,resourceGroupName=<NETWORK_RG_NAME>,subnetIds=<SUBNET_1>,<SUBNET_2>,databasePrivateDnsZoneId=<PRIVATE_DNS_ZONE_RESOURCE_ID>

The <PRIVATE_DNS_ZONE_RESOURCE_ID> that you need to provide should look similar to:

/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Network/privateDnsZones/privatelink.postgres.database.azure.com

For example:

/subscriptions/a9a10f9c-5323-4fd2-8s14-747b2d68784c/resourceGroups/my-resource-group/providers/Microsoft.Network/privateDnsZones/contoso.com