PostgreSQL on Azure Permissions

The setup for hosted PostgreSQL on Azure is the same as the general PostgreSQL setup, except for connection security to the instance. By default, all incoming traffic is blocked to a postgres instance, thus ensuring that no unsolicited connections are made. This restriction is made directly at the VNET level.

The specific VNET configuration you will need will largely depend on where the incoming connections to your database are coming from. A more detailed guide on how to set up the various types of connection security can be found here.

The most secure setup would be the Private Endpoint.

IP Whitelisting

The simplest way to configure access to an SQL instance is to whitelist a static IP range. This will allow any request from within the defined IP range to access the SQL instance via the public endpoints. Please note that the request still requires a valid username and password for the given instance.

IP Whitelisting should only be used when the outbound request is coming from a known range of IP addresses. If the IP range is dynamic, it is highly discouraged to use “0.0.0.0/0,” which effectively grants access to the instance from anywhere in the world.

Virtual Network

An alternative approach for connecting services that use dynamic IP ranges is allowing connections originating from within a specific Virtual Network (and subnet) on Azure. You can still limit the address range to restrict the traffic, but this option is likely the most flexible.

One minor limitation is that the Virtual Network needs to be an “Azure Virtual Network.” However, it can be in a different resource group/subscription or even tenancy.

The virtual network can be extended to allow traffic external to Azure by using the Azure Gateway VPN solution. With this approach, you can connect a local network to a cloud network through the Azure Gateway VPN, effectively allowing traffic from anywhere in the world within an encrypted connection.

Private Endpoints

Enabling private endpoints is recommended as an additional layer of security. A private endpoint for an application is an API endpoint strictly accessible from within a specific subnet in a virtual private network. When using private endpoints, you can completely shut off the public endpoint, effectively exposing the instance only to your Azure infrastructure (or infrastructure within the VNET). This is the most secure setup and has the advantage of not relying on firewall rules to restrict public access to the instance.