Today we are proud to announce support for Azure Private Link for private networking with Azure Database for PostgreSQL - Flexible server in Public Preview, in addition to already existing networking capabilities provided by VNET injection. This has been a widely asked feature from our customers and will add security and flexibility to the networking stack of PostgreSQL Flexible Server.
With Azure Private Link, traffic between your virtual network and the service navigates the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.
Pic 1. Private Endpoint Network Diagram
What are the benefits of Azure Private Link?
Azure Private Link has become the most popular network architecture for services due to following advantages:
-
Privately access services on the Azure platform: Connect your virtual network using private endpoints to all services that can be used as application components in Azure. Service providers can render their services in their own virtual network and consumers can access those services in their local virtual network. The Private Link platform will handle the connectivity between the consumer and services over the Azure backbone network.
-
On-premises and peered networks: Access services running in Azure from on-premises over ExpressRoute private peering, VPN tunnels, and peered virtual networks using private endpoints. There's no need to configure ExpressRoute Microsoft peering or traverse the internet to reach the service. Private Link provides a secure way to migrate workloads to Azure.
-
Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides protection against data leakage risks.
-
Global Reach: Connect privately to services running in other regions. The consumer's virtual network could be in region A and it can connect to services behind Private Link in region B.
Why would I choose Private Link over VNET Injection for private networking with Flexible Server?
VNet injection is the virtual network integration pattern for services whose architecture is based on dedicated resources that can be deployed (aka “injected”) into the instance owner’s network. Until now it has been the only way to provide private networking for Azure PostgreSQL Flexible Server. It has certain advantages over other networking methodologies when it comes to security, isolation and technical simplicity. However, there were also certain disadvantages that were noted by our customers:
-
Need to create separate delegated subnet for hosting Azure Flexible Server. Although, you can work around this issue and increased management overhead of the delegated subnet by hosting multiple PostgreSQL servers in a single subnet and if necessary, peering other VNETs where clients connecting to Postgres reside, many customers found that Private Link that doesn’t have such requirement fits their Azure VNET design better.
-
Cannot create public IP address for servers in private networks. Some of our customers required the ability for a server to be reachable from public and private networks via both private and public addressing.
-
Complicated connectivity to other Azure services that are utilizing Private Link for networking.
If the above disadvantages of VNET injection are important to you, we recommend you use Private Link for your private networking with PostgreSQL Flexible Server, on the other hand, if network isolation and segmentation are paramount, VNET injection may present a better choice.
How does Private Link work to network with Azure Database for PostgreSQL – Flexible Server?
Private Link is exposed to users through two Azure resource types:
- Private Endpoints (Microsoft.Network/PrivateEndpoints)
- Private Link Services (Microsoft.Network/PrivateLinkServices)
With PostgreSQL Flexible Server you will work with Private Link to network via Private Endpoint.
A Private Endpoint adds a network interface to a resource, providing it with a private IP address assigned from your VNET (Virtual Network). Once applied, you can communicate with this resource exclusively via the virtual network (VNET). For a list to PaaS services that support Private Link functionality, review the Private Link documentation. The same public service instance can be referenced by multiple private endpoints in different VNets/subnets.
When you use private endpoints, traffic is secured to a private-link resource. The platform validates network connections, allowing only those that reach the specified private-link resource. To access more sub resources within the same Azure service, more private endpoints with corresponding targets are required.
Do Private Endpoints work with Network Security Groups?
Private endpoints support network policies. Network policies enable support for Network Security Groups (NSG), User Defined Routes (UDR), and Application Security Groups (ASG). For more information about enabling network policies for a private endpoint, see Manage network policies for private endpoints. To use an ASG with a private endpoint, see Configure an application security group (ASG) with a private endpoint.
How does Private Link based networking interact with DNS?
When using a private endpoint, you need to connect to the same Azure service but use the private endpoint IP address. The intimate endpoint connection requires separate DNS settings to resolve the private IP address to the resource name. Private DNS zones provide domain name resolution within a virtual network without a custom DNS solution. You link the private DNS zones to each virtual network to provide DNS services to that network.
Private DNS zones provide separate DNS zone names for each Azure service. For PostgreSQL Flexible Server zone name is - privatelink.postgres.database.azure.com. Private endpoint private DNS zone configurations will automatically generate if you use the above PostgreSQL Flexible Server DNS zone naming scheme, as recommended.
Where can I find more information on using Private Link based networking with Azure Postgres Flexible Server in Preview?
You can get more details on Private Link networking with PostgreSQL Flexible Server on our docs overview page, as well as follow how-to tutorial to add PostgreSQL Flexible Server to private network with Private Endpoint.
To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.