10

I can't connect from azure resource (aks node) to Azure postgres using pgcli. I also tried directly from node and got the same error message:

FATAL: Client from Azure Virtual Networks is not allowed to access the server. Please make sure your Virtual Network is correctly configured.

Firewall rules in the resource are on: Allow access to Azure services: ON

Running the same pgcli login command on my computer and on another azure resource seems to work fine.

Adding Firewall rules to all IPs return the same error.

Curl from the problematic server (host:5432) returns a reply, so it's not an outbound issue.

Amityo
  • 5,635
  • 4
  • 22
  • 29

3 Answers3

6

What does the error mean?

A VM where the connection originates from is deployed to a virtual network subnet where Microsoft.Sql service endpoint is turned on. Per documentation:

If Microsoft.Sql is enabled in a subnet, it indicates that you only want to use VNet rules to connect. Non-VNet firewall rules of resources in that subnet will not work.

For connection to succeed there must be a VNet rule added on PostgreSQL side. At the time the question was asked VNet Service Endpoints for Azure Database for PostgreSQL just got to public preview so I assume it might not have been available for the OP.

Solution

As of November 2020, Service Endpoints for Postgres is GA and instead of disabling the service endpoint one can add a missing VNet rule to the PostgreSQL server instance and reference the service endpoint-enabled subnet. It can be done via Portal or Azure CLI

Max Ivanov
  • 5,695
  • 38
  • 52
4

Apparently, the vm is part of a vnet that a service endpoint tag Microsoft.sql was enabled.

I found this answer. To solve the problem I disabled the service endpoint and added the public IP to the Connection Security section.

Amityo
  • 5,635
  • 4
  • 22
  • 29
  • 1
    Please accept your own answer if the problem has been solved. That removes it from the list with unanswered questions. – ewramner Jun 07 '18 at 10:20
  • Not the right fix for this issue. Instead, as mentioned in this answer, the correct answer would be to add a VNet rule under "Connection security" -> "VNET Rules". The service endpoint should not be disabled -- it's a best practice to use it for secure connectivity. Routing over the public internet should be an option of last resort. Admittedly, the documentation could be clearer. I have filed this issue about this with Azure: https://github.com/MicrosoftDocs/azure-docs/issues/87056 – GuyPaddock Jan 27 '22 at 15:51
2

I encountered the same problem. All I did was to switch Allow access to Azure services to ON .

enter image description here

Kostas Demiris
  • 3,415
  • 8
  • 47
  • 85
  • 4
    Azure Portal mentions this, but it's worth reiterating. Be aware that setting `Allow access to Azure services` to `ON` allows network access from all Azure subscriptions, not only yours. – Max Ivanov Nov 07 '20 at 01:19
  • Doesn't the question mention that "`Allow access to Azure services`" is already `ON` ? – payne Oct 25 '21 at 13:33
  • 1
    Not the right fix for this issue. Instead, as mentioned in this answer, the correct answer would be to add a VNet rule under "Connection security" -> "VNET Rules". Alternatively, the OP could turn off the service endpoint in the VNet and then use the "Allow access to Azure services" option, but that's not nearly as secure. – GuyPaddock Jan 27 '22 at 15:50