2

Trying to figure out how to best give my AKS cluster access to a Postgres database in Azure.

This is how I create the cluster:

az group create \
  --name $RESOURCE_GROUP \
  --location $LOCATION

az aks create \
  --resource-group $RESOURCE_GROUP \
  --name $CLUSTER_NAME \
  --node-vm-size Standard_DS2_v2 \
  --node-count 1 \
  --enable-addons monitoring \
  --enable-managed-identity \
  --generate-ssh-keys \
  --kubernetes-version 1.19.6 \
  --attach-acr $ACR_NAME \
  --location $LOCATION

This will automatically create a VNet with a subnet that the node pool uses.

The following works:

  1. Find the VNet resource in Azure
  2. Go to "subnets" -> select the subnet -> Choose "Microsoft.SQL" under "Services". Save
  3. Find the Postgres resource in Azure
  4. Go to "Connection Security" -> Add existing virtual network -> Select the AKS VNet subnet. Save

So I have two questions:

  1. Is it recommended to "fiddle" with the VNet subnet automatically created by az aks create? I.e adding the service endpoint for Micrsoft.SQL
  2. If it's ok, how can I accomplish the same using Azure CLI only? The problem I have is how to figure out the id of the subnet (based on what az aks create returns)
Joel
  • 8,502
  • 11
  • 66
  • 115
  • you could just create the VNET and subnet beforehand. Then you can apply all the settings you want to it – silent Feb 08 '21 at 18:00
  • @silent Yes, I was looking into that, but I couldn't find any clear examples on what that entails. Seems like just adding `--vnet-subnet-id` to `az aks create` isn't enough? – Joel Feb 09 '21 at 06:24
  • 1
    Correct. That’s all – silent Feb 09 '21 at 06:47
  • That is not necessarily all. You won't be able to use managed identity with a BYO vnet + subnet situation. You will need to manually handle the service principal and create it before hand – lukejkw Feb 10 '22 at 17:49
  • The best would be to use Flexible Server for Postgres. Then you can dedicate a subnet in your VNET to Postgres Flexi, and automatically create Flexible server in that VNET. You can also have a dedicated VNET to just Postgres and bridge the 2 VNETs for access to each other. – Cninroh Jun 13 '22 at 22:23

0 Answers0