1. Secure Azure PostgreSQL access with a Virtual Network Rule

    TypeScript

    When working with Azure Database for PostgreSQL, one important security measure is to control network access through Virtual Network (VNet) service endpoints. This ensures that only applications from allowed networks can connect to your database. In Azure, this can be managed with a Virtual Network Rule which connects your database server with a particular subnet within a Virtual Network.

    In the program below, we use Pulumi to define and apply a VirtualNetworkRule for an Azure Database for PostgreSQL instance. The following steps are taken:

    1. First, we define a Virtual Network and a subnet. These resources create the private network space in which your PostgreSQL server will reside.
    2. Next, we create a PostgreSQL server. While this example does not show all of the possible configuration options, it includes the minimum required to create a server with a public network access.
    3. We then proceed to create a VirtualNetworkRule for the PostgreSQL server. This rule will link the PostgreSQL server to the subnet created earlier, permitting access to the database only from this subnet.
    4. Finally, the connection information is exported so it can be used to access the PostgreSQL server from allowed resources within the VNet.

    The following TypeScript program sets this up:

    import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure.resources.ResourceGroup("pgResourceGroup"); // Create an Azure Virtual Network const virtualNetwork = new azure.network.VirtualNetwork("pgVirtualNetwork", { resourceGroupName: resourceGroup.name, addressSpace: { addressPrefixes: ["10.0.0.0/16"], }, }); // Create a Subnet. This defines the range of allowable IP addresses within the VNet. const subnet = new azure.network.Subnet("pgSubnet", { resourceGroupName: resourceGroup.name, virtualNetworkName: virtualNetwork.name, addressPrefix: "10.0.1.0/24", serviceEndpoints: [ { service: "Microsoft.Sql" }, // This endpoint allows Azure SQL services. ], }); // Create an Azure PostgreSQL Server const postgresServer = new azure.dbforpostgresql.Server("pgServer", { resourceGroupName: resourceGroup.name, sku: { name: "B_Gen5_2", // This specifies the tier and compute generation tier: "Basic", }, properties: { version: "11", // Specifies the version of PostgreSQL createMode: "Default", adminLogin: "pgAdmin", adminPassword: "P@$$w0rd1234", // Always use secure passwords and manage them properly. publicNetworkAccess: "Disabled", // Disables public network access for enhanced security }, }); // Create a Virtual Network Rule for PostgreSQL. This allows the PostgreSQL server to accept connections from the subnet. const postgresVnetRule = new azure.dbforpostgresql.VirtualNetworkRule("pgVNetRule", { resourceGroupName: resourceGroup.name, serverName: postgresServer.name, virtualNetworkSubnetId: subnet.id, ignoreMissingVnetServiceEndpoint: false, // Ensures the subnet is linked with the correct service endpoint. }); // Export the PostgreSQL server name and hostname so we can easily connect to it. export const postgresServerName = postgresServer.name; export const postgresHostName = postgresServer.fullyQualifiedDomainName;

    In this program:

    • We utilize azure-native package which is the newest namespace for the Azure provider in Pulumi.
    • The ResourceGroup is a logical container into which all related Azure resources, like the Virtual Network and PostgreSQL Database, will be deployed.
    • For the VirtualNetwork and Subnet, the address spaces are CIDR notation IP ranges. They are arbitrarily chosen private IP ranges and should be adjusted according to your needs.
    • The Server resource creates the PostgreSQL server instance itself. More fine-tuned configurations, such as firewalls and private link settings, can also be added here.
    • VirtualNetworkRule is associated with the PostgreSQL resource to ensure it can only receive connections from within the defined subnet. This restricts access to your PostgreSQL server, thereby securing it.
    • The export statements at the end reveal necessary deployment outputs, like server names and fully-qualified domain names (FQDNs), which are useful for connecting to the PostgreSQL server from within your VNet.

    Make sure to replace the placeholder usernames and passwords with secure credentials. Manage secrets securely using Pulumi's secret management or another external service like Azure Key Vault. Also remember to adjust the IP ranges to fit your network design.

    This program will set up the resources in Azure such that only the resources within the specified subnet can access the Azure PostgreSQL server, enhancing your database security.