Azure Private Link

Azure Private Link is a networking service that allows you to securely access Azure services over a private endpoint in your virtual network (VNet). The traffic between your virtual network and the service stays entirely within Microsoft’s private backbone network and never traverses the public internet. Please refer to Azure Private Link Overview for more information. 

Visibility and Access Approval 

Please note that by default, Instaclustr Azure Private Link Clusters are provisioned with RBAC visibility on the Azure Private Link Service. Instaclustr have identified an issue with Microsoft’s implementation of these RBAC controls whereby a user with no RBAC permissions on the Private Link Service can request a connection using the Private Link Service alias. The resulting connection is put into a Pending state and requires manual approval. Instaclustr have contacted Microsoft, and the issue is currently being addressed by their product team.  

In the meantime, extra care should be taken to validate the origin of any connection requests requiring manual approval on the Private Link Service if you are using RBAC visibility. If you opt to use the approved subscriptions visibility setting, the correct validation is applied, and you will not be impacted by this issue.  

If you have any questions or concerns, please reach out to [email protected]  

By default, when the cluster is provisioned without any subscriptions specified or if all subscriptions were removed, the Private Link Service visibility is restricted by Role-based Access Control only (RBAC). To connect with this, clients must provision a Private Endpoint with a user that has corresponding permissions for both the location of the Private Endpoint and the Private Link Service. The user needs to have one of the following roles:  

• Owner  
• Contributor  
• Network Contributor 

Or you can create a custom role with the required permissions (refer to Azure RBAC permissions for Azure Private Link for more details). The user will require following permissions: 

• Permissions to create a Private Endpoint  
• Permissions to have visibility of the Private Link Service  
• (optional) Permissions to “Auto Approve” a connection to the Private Link Service 

Depending on the role of the user and method of requesting a connection to the Private Link service, you may need to manually approve a connection from a Private Endpoint to Private Link Service through Azure Portal. Please note, Instaclustr is not involved in the management of these roles. It’s up to you to apply appropriate controls within your environment to ensure the security of your Private Link service under RBAC. 

Alternatively, you can add subscriptions to the Private Link service allow list through Instaclustr platform. All visibility and access control would then be restricted by subscriptions with automatic connection approval. Please note: You are only allowed to add or delete one subscription at a time. If a subscription has failed to be added, you have to delete it before trying to add it again. Here are 3 ways to add allowed subscriptions to PostgreSQL cluster in Instaclustr platform: 

• Add subscriptions via Instaclustr Console: 
  • In Instaclustr Console, navigate to the Azure Private Link page in the menu under your cluster’s name (as highlighted in the below screenshot)  

• • Go to the Add New Subscription section and enter the Azure Subscription Id that you trust. After clicking ‘Add Azure Subscription’ button, the add subscription request will be sent to backend. At this point, the status is GENESIS. When the status hits RUNNING, it has the visibility of the Private Link service and connection requests from it will be approved automatically. The subscription status will be updated to be DELETING when the delete operation is triggered. 
• Add Subscription via Instaclustr API or Terraform Provider V2 
  • Alternatively, you could add subscription to PostgreSQL cluster with Azure Private Link via REST endpoints or Terraform Provider. Please refer to the Provisioning API documentation and Terraform documentation for more details. To set up the Terraform Provider in your environment, you could follow the steps in Using the Instaclustr Terraform Provider. 

Prerequisites 

• Azure Virtual Network: clients must be deployed within an Azure VNet. 
• Azure Private Endpoint: A private endpoint is required to connect to the Private Link service. Refer to Azure Private Endpoint Overview for more details. 
• Private Network Cluster: The cluster must be configured as a private network cluster.   

Limitations 

• Azure Private Link is currently only supported with Run In Your Own Account (RIYOA).  
• Clusters must be Private Network Clusters. 
• PostgreSQL clusters with Azure Private Link only support a single Data Centre.
  

For more details about how Azure Private Link works in PostgreSQL cluster, please refer to How Clients Connect to a PostgreSQL Cluster Using Azure Private Link connection  

Please contact Instaclustr Support for further assistance.