1

I try to connect a application who is in a subnet sub_A to a postgresql database that have a private endpoint in the subnet sub_B and still fail to do it.

I do a lot of try and i am able to connect in the database from a VM in sub_B so i expect that the issue comes from sub_A but here is ma configuration i configure on the database server the vmnet rules for sub_A and sub_B.

I configure the both subnet with the service endpoints "Microsoft.Sql"

and when i try to connect in the database throught the private endpoint i still get the error error: FATAL: Client from Azure Virtual Networks is not allowed to access the server using Private IP. Please make sure your Virtual Network is correctly configured.

can you help me and tell me what i missed?

quentin ledoux
  • 11
  • 2

1 Answers1

0

In this case, make sure the DNS record is set correctly.

If you have an application hosting on the app services, you could enable VNet Integration and you need to add the following app settings to work with Azure DNS Private Zones.

WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1

If you have an application hosting on Azure VM or VMs, you could compare the DNS records of VMs in subnet A with subnet B. From subnet A, you need to make sure you can resolve to the private IP address from PostgreSQL database FQDN. Between Subnet A and Subnet B should not be network blocked.

For example, From SubnetA, verify that the private link points to the PostgreSQL resource and the necessary resolution is happening.

C:\Users\azureadmin>nslookup demoprivatelinkserver.postgres.database.azure.com.
Server:  UnKnown
Address:  168.63.129.16

Non-authoritative answer:
Name:    demoprivatelinkserver.postgres.database.azure.com
Address:  10.1.3.4

For more information, you could read this blog or let me know if you need further help.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Hello thanks for your answer but there is no issue with the private DNS in the both subnet, its correctly resolved as private ip in both side and i can open the socket on the port 5432 from sub_A with telnet. but when i tried to use psql or wrapper python for my app the postgresql server interrupt the connection with this error message – quentin ledoux Jan 11 '21 at 09:25
  • Do you have an application on Azure VM in subnet A? Does subnet A and B have the same NSG configurations? How do you use psql or wrapper python for your app to connect the postgresql server? – Nancy Jan 11 '21 at 09:31
  • Can you connect to the database with a private endpoint IP address from sub_A with using psql or wrapper python ? – Nancy Jan 11 '21 at 09:42
  • no NSG configuration for both subnet the application running on an AKS pod so to try i just try with ```psql -h mydb.privatelink.postgres.database.azure.com -U myuser@mydb db``` i can't connect anything from subnet A but from subnet B (where the private point is located) i connect with no issue – quentin ledoux Jan 11 '21 at 10:02
  • What is the networking mode of your AKS pod? – Nancy Jan 13 '21 at 07:32
  • CNI with the subnet A – quentin ledoux Jan 13 '21 at 10:57
  • If you remove the service endpoints "Microsoft.Sql" ob both subnet A and B, What's the result? – Nancy Jan 26 '21 at 07:12
  • i tried same problem i currently with azure support to debug the issue :/ it's complicated i ll post a answer or a comment when to issue will be solved to share but seems related to the private endpoint creation – quentin ledoux Jan 29 '21 at 09:35
  • @quentinledoux Have you got any solution to this I am also facing the same issue. when we are trying to access Azure DB from Private function with hostname its failed to establish the connection but it works if we replace Azure DB hostname with private IP. – mahendra rathod Dec 08 '21 at 16:43
  • hello no sorry no solution, we choose to secure the db with the firewall to restrict connection tu the subnet instead – quentin ledoux Dec 14 '21 at 08:40