LogoLogo
  • Overview
  • publisher
    • Introduction
    • Getting Started
      • Logging in to Publisher
    • Data Sources
      • Connecting a Data Source
      • Managing a Data Source
      • Connectors
        • AWS S3 Permissions
        • Connecting to AWS S3 Storage
        • Google Cloud Storage (GCS) Permissions
        • Connecting to Google Cloud Storage
        • PostgreSQL Permissions
        • Connecting to PostgreSQL
        • PostgreSQL on Azure Permissions
        • Microsoft Azure Blob Storage Permissions
        • Connecting to Microsoft Azure Blob Storage
        • Connecting to HTTPS
        • Connecting to other sources via Trino
          • BigQuery
    • Collections
      • Creating a Collection
      • Sharing a Collection
      • Collection Filters
      • Editing Collection Metadata
      • Updating Collection Contents
    • Access Policies
      • Creating an Access Policy
      • Managing Access Policies
    • Questions
      • Adding Questions
      • Example Question
    • Settings
      • Viewing Current and Past Administrators
      • Adding an Administrator
      • Removing an Administrator
      • Setting Notification Preferences
  • Explorer
    • Introduction
    • Viewing a Collection
    • Browsing Collections
    • Asking Questions
    • Accessing a Private Collection
      • Requesting Access to a Private Collection
    • Filtering Data in Tables
      • Strings
      • Dates
      • Numbers
  • Workbench
    • Introduction
    • Getting Started
      • Logging into Workbench
      • Connecting an Engine
      • Finding or Importing a Workflow
      • Configuring Workflow Inputs
      • Running and Monitoring a Workflow
      • Locating Outputs
    • Engines
      • Adding and Updating an Engine
        • On AWS HealthOmics
        • On Microsoft Azure
        • On Google Cloud Platform
        • On Premises
      • Parameters
        • AWS HealthOmics
        • Google Cloud Platform
        • Microsoft Azure
        • On-Premises
        • Cromwell
        • Amazon Genomics CLI
    • Workflows
      • Finding Workflows
      • Adding a Workflow
      • Supported Languages
      • Repositories
        • Dockstore
    • Instruments
      • Getting Started with Instruments
      • Connecting a Storage Account
      • Using Sample Data in a Workflow
      • Running Workflows Using Samples
      • Family Based Analysis with Pedigree Information
      • Monitor the Workflow
      • CLI Reference
        • Instruments
        • Storage
        • Samples
        • OpenAPI Specification
    • Entities
    • Terminology
  • Passport
    • Introduction
    • Registering an Email Address for a Google Identity
  • Command Line Interface
    • Installation
    • Usage Examples
    • Working with JSON Data
    • Reference
      • workbench
        • runs submit
        • runs list
        • runs describe
        • runs cancel
        • runs delete
        • runs logs
        • runs tasks list
        • runs events list
        • engines list
        • engines describe
        • engines parameters list
        • engines parameters describe
        • engines health-checks list
        • workflows create
        • workflows list
        • workflows describe
        • workflows update
        • workflows delete
        • workflows versions create
        • workflows versions list
        • workflows versions describe
        • workflows versions files
        • workflows versions update
        • workflows versions delete
        • workflows versions defaults create
        • workflows versions defaults list
        • workflows versions defaults describe
        • workflows versions defaults update
        • workflows versions defaults delete
        • namespaces get-default
        • storage add
        • storage delete
        • storage describe
        • storage list
        • storage update
        • storage platforms add
        • storage platforms delete
        • storage platforms describe
        • storage platforms list
        • samples list
        • samples describe
        • samples files list
      • publisher
        • datasources list
  • Analysis
    • Python Library
    • Popular Environments
      • Cromwell
      • CWL Tool
      • Terra
      • Nextflow
      • DNAnexus
Powered by GitBook

© DNAstack. All rights reserved.

On this page
  • IP Whitelisting
  • Virtual Network
  • Private Endpoints

Was this helpful?

  1. publisher
  2. Data Sources
  3. Connectors

PostgreSQL on Azure Permissions

PreviousConnecting to PostgreSQLNextMicrosoft Azure Blob Storage Permissions

Last updated 6 months ago

Was this helpful?

The setup for hosted PostgreSQL on Azure is the same as the general PostgreSQL setup, except for connection security to the instance. By default, all incoming traffic is blocked to a postgres instance, thus ensuring that no unsolicited connections are made. This restriction is made directly at the VNET level.

The specific VNET configuration you will need will largely depend on where the incoming connections to your database are coming from. A more detailed guide on how to set up the various types of connection security can be found .

The most secure setup would be the .

IP Whitelisting

The simplest way to configure access to an SQL instance is to whitelist a static IP range. This will allow any request from within the defined IP range to access the SQL instance via the public endpoints. Please note that the request still requires a valid username and password for the given instance.

IP Whitelisting should only be used when the outbound request is coming from a known range of IP addresses. If the IP range is dynamic, it is highly discouraged to use “0.0.0.0/0,” which effectively grants access to the instance from anywhere in the world.

Virtual Network

An alternative approach for connecting services that use dynamic IP ranges is allowing connections originating from within a specific Virtual Network (and subnet) on Azure. You can still limit the address range to restrict the traffic, but this option is likely the most flexible.

One minor limitation is that the Virtual Network needs to be an “Azure Virtual Network.” However, it can be in a different resource group/subscription or even tenancy.

The virtual network can be extended to allow traffic external to Azure by using the Azure Gateway VPN solution. With this approach, you can connect a local network to a cloud network through the Azure Gateway VPN, effectively allowing traffic from anywhere in the world within an encrypted connection.

Private Endpoints

Enabling private endpoints is recommended as an additional layer of security. A private endpoint for an application is an API endpoint strictly accessible from within a specific subnet in a virtual private network. When using private endpoints, you can completely shut off the public endpoint, effectively exposing the instance only to your Azure infrastructure (or infrastructure within the VNET). This is the most secure setup and has the advantage of not relying on firewall rules to restrict public access to the instance.

here
Private Endpoint