Private Link based networking is now generally available in Azure PostgreSQL Flexible Server

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

PostgreSQL is a powerful, open-source object-relational database system with over 35 years of active development that has earned it a strong reputation for reliability, feature robustness, and performance.   The origins of PostgreSQL date back to 1986 as part of the POSTGRES project at the University of California at Berkeley and has more than 35 years of active development on the core platform. 


Private Link Support in PostgreSQL Flexible Server

Ever since Azure Database for PostgreSQL - Flexible Server went public years ago we have seen dramatic adoption with customers in number of industries that require secure private network access that provides flexibility, easy connectivity to other Azure services, as well as high security and isolation. To meet these customer needs, in November 2023, we announced support for Azure Private Link  for private networking with Azure Database for PostgreSQL - Flexible server in Public Preview, in addition to already existing networking capabilities provided by VNET injection


Today, we are proud to announce General Availability for Private Link based networking feature in Azure Database for PostgreSQL - Flexible Server in all public Azure regions where service is currently available. 

For tutorial on how to create Postgres Flexible Server with Private Link based networking see this doc.  

With Azure Private Link, traffic between your virtual network and the service navigates the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private ink service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.


Pic 1. Azure Private Link diagram


What are advantages and disadvantages of using Private Link based networking over VNET Injection with Azure Database for PostgreSQL - Flexible Server?

VNet injection is the virtual network integration pattern for services whose architecture is based on dedicated resources that can be deployed (aka “injected”) into the instance owner’s network. Until now it has been the only way to provide private networking for Azure PostgreSQL Flexible Server. It has certain advantages over other networking methodologies when it comes to security, isolation and technical simplicity. Well known advantages for deploying private networking with VNET injection include:

  • Security and isolation. Service is injected into customer VNET providing high isolation from internet-based traffic. It doesnt support public endpoint creation, nor any communication with public endpoints directly, adding to enhanced security footprint. 
  • Simplicity. VNET injection is a very simple architecture from customer's viewpoint fitting PaaS services very well.

At the same time, Private Link based networking has some advantages over VNET injection , such as:

  • No need to create separate delegated subnet for hosting Azure Flexible Server. Although, you can work around this issue and increased management overhead of the delegated subnet by hosting multiple PostgreSQL servers in a single subnet and if necessary, peering other VNETs where clients connecting to Postgres reside, many customers found that Private Link that doesn’t have such requirement fits their Azure VNET design better.
  • Cannot create public endpoint addressable by IP for servers in private networks with VNET injection today. Some of our customers required the ability for a server to be reachable from public and private networks via both private and public addressing at the same time. 
  • Complicated connectivity to other Azure services that are utilizing Private Link for networking.

If the above disadvantages of VNET injection are important to you, we recommend you use Private Link for your private networking with PostgreSQL Flexible Server, on the other hand, if network isolation and segmentation are paramount, VNET injection may present a better choice.


Since you are announcing GA for Private Link based networking for newly created servers, how can I add this feature to server created before GA announcement?

At this time, you can create Private Endpoints for servers created with public networking option after GA announcement or during our public preview for subscriptions that added a preview feature, as documented previously.  We are working on migration tooling that would allow older servers with public networking model to be capable of adding Private Endpoints with minimum effort and downtime. 


I have a server with NET injection-based networking that I want to migrate to Private Link based networking.  How can I do that?

Today, easiest way to do so is via point in time backup restore to another server. We  are working on migration tooling that would allow servers under VNET Injection networking model to be migrated to public networking model and capable of adding Private Endpoints with minimum effort and downtime. 

Where can I find more information on using Private Link based networking with Azure Postgres Flexible Server?

You can get more details on Private Link networking with PostgreSQL Flexible Server on our docs overview page, as well as follow how-to tutorial to add PostgreSQL Flexible Server to private network with Private Endpoint.

To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.