VNET integration & Support of Corporate Addon - POSTGRESQL

Introduction

DBAAS/PostgreSQL is based on Azure PostgreSQL flexible server. By default, the database is accessible from internet:

a public IP is provided
the name is resolved from internet (globally)

Depending on your use cases, the sensitivity of your data would encourage you to reduce the risk of data leakage. A common solution is to restrict the access to the databases from specific networks.

note

Interconnection networks together on the cloud is a challenge. You probably will face to common issues like:

IP overlapping between VNET that avoid a direct peering
Error on naming resolutions

The purpose of this documentation is to describes what are the option DBAAS/PostgreSQL supports and the recommendations.

Public Access

This is the default option.

Applications or Administrator can access to dbaas/PostgreSQL using an URL in *.posgresql.database.azure.com that is resolvable publicly and accessible through internet.

Private Access

This is the option when VNET integration is enabled.

Using Network Backbone

DBAAS is integrated to a shared VNET already connected to TrustNest Network Backbone. The URL is not resolvable from internet. A DNS private link should be configured on your VNET to be able to resolve the URL of DBAAS. Then, Trusnest Backbone allows by default the flow from your landing zone or your k8saas instance; but a NSG on DBAAS should explicitly be opened.

The network flow uses the TrustNest Network Backbone.

Using Direct Peering

Sometimes, your vnet can't be integrated to Trustnest Network Backbone, because your environment does not follow the Trustnest IP plan. In this case only, a peering will be configured between your landing zone and/or your instance VNET and the VNET dedicated to your dbaas tenant.

High Level Architecture for Standard Environment

High Level Architecture for Corporate Environment

HOWTO ask for DBAAS with a VNET integration ?

Please go to postIT - dbaas section and select "Subscribe to DBAAS Industrialize/Innovate/Discover". During the completion, tick the "VNET integration" box.

Known limitations

VNET integration can be enabled only during the first deployment. If you want to enable it after, the operation team will delete and redeploy your dbaas instance. In this case, please notify the operation team about the backup strategy.
Direct Peering is not supported anymore for corporate addon. Only Trustnest Network Backbone should be used.

Troubleshooting

Before sending a request to the support, make sure your container or your application can resolve the DBAAS URL. If not, raise a generic request using postIT to ask for DBAAS private DNS Vnet link (please provide your VNET ID).
If your application or container can resolve DBAAS, but the network flow is blocked; send a generic postIT request to ask DBAAS to open flow on their side (please provide your IP range used by your application or precise the k8saas instance name).

Introduction​

Public Access​

Private Access​

Using Network Backbone​

Using Direct Peering​

High Level Architecture for Standard Environment​

High Level Architecture for Corporate Environment​

HOWTO ask for DBAAS with a VNET integration ?​

Known limitations​

Troubleshooting​