Azure Database for PostgreSQL
An Azure managed PostgreSQL database service for app development and deployment.
1,206 questions
Issues Connecting to PostgreSQL Flexible Server in Azure VPC with Terraform
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 73%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWK%3C/text%3E%3C/svg%3E)
William Kelly
5
Reputation points
Deploying a PostgreSQL Flexible Server inside a VPC using Terraform has been successful, but there is an issue with connecting via Point-to-Site VPN. After following the instructions listed here, connection attempts still fail. Attempts to resolve the issue using the Q&A assist have not been successful either.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor2025-01-28T07:53:45.88+00:00 @William Kelly
Thank you for the question and for using Microsoft Q&A platform.Can you please provide me with more information about the issue you're facing? Specifically, what error message are you receiving when attempting to connect to the server via VPN? Have you checked to ensure that your VPN is properly configured and that you have the correct credentials to connect to the server?
Once I have a better understanding of the issue, I can provide you with more specific guidance on how to resolve it.
-
William Kelly 5 Reputation points
2025-01-30T20:49:11.0333333+00:00 The error message that we are receiving is as follows: Error connecting to the server. Make sure the server is up and running and is accessible via port 5432. I have attempted to make sure that the VPN is properly configured however I am not sure if it is. That could definitely be a possible explanation as to why we can’t connect. Would seeing the terraform or screenshots of some of the infrastructure in Azure allow you to be able to understand more easily?
I have checked to make sure that the credentials are correct. I am trying to connect using the admin credentials.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 69%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Sai Raghunadh M 2,640 Reputation points Microsoft Vendor2025-01-31T02:49:23.4233333+00:00 Please review the firewall settings for your PostgreSQL server and ensure that port 5432 is open and accessible through the VPN.
Additionally, confirm that the security group rules in your Terraform script permit traffic on port 5432 and check for any references to inbound rules in your script.
Also, verify the Network Security Groups associated with your VPC to ensure that both inbound and outbound rules allow traffic on port 5432.
In the meantime, please share the screenshots or Terraform configuration for a more detailed examination.
-
William Kelly 5 Reputation points
2025-01-31T18:00:24.14+00:00 -
William Kelly 5 Reputation points
2025-01-31T18:02:26.1333333+00:00 Here are a few screen shots of the flexible server, the vnet, the nsg, and the rules. Attached to this comment as well will be our main.tf that was used to create everything. (I can't add a .tf file so I copied it into a code block)
resource "azurerm_resource_group" "campus_core_resource_group" { name = "campus-core-resources" location = "East US 2" } resource "azurerm_storage_account" "campus_core_storage_account" { name = "campuscorestorage" resource_group_name = azurerm_resource_group.campus_core_resource_group.name location = azurerm_resource_group.campus_core_resource_group.location account_tier = "Standard" account_replication_type = "LRS" } resource "azurerm_storage_container" "terraform_container" { name = "terraform-container" storage_account_id = azurerm_storage_account.campus_core_storage_account.id container_access_type = "private" } resource "azurerm_storage_container" "certificates_container" { name = "certs-container" storage_account_id = azurerm_storage_account.campus_core_storage_account.id container_access_type = "private" } resource "azurerm_virtual_network" "campus_core_vnet" { name = "campus-core-vnet" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name dns_servers = ["168.63.129.16"] } resource "azurerm_subnet" "campus_core_subnet" { name = "campus-core-subnet" resource_group_name = azurerm_resource_group.campus_core_resource_group.name virtual_network_name = azurerm_virtual_network.campus_core_vnet.name address_prefixes = ["10.0.1.0/24"] service_endpoints = ["Microsoft.Storage"] delegation { name = "postgresql-delegation" service_delegation { name = "Microsoft.DBforPostgreSQL/flexibleServers" actions = [ "Microsoft.Network/virtualNetworks/subnets/join/action" ] } } } resource "azurerm_subnet" "gateway_subnet" { name = "GatewaySubnet" resource_group_name = azurerm_resource_group.campus_core_resource_group.name virtual_network_name = azurerm_virtual_network.campus_core_vnet.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_public_ip" "campus_core_pip" { name = "campus-core-pip" location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name allocation_method = "Static" sku = "Standard" } resource "azurerm_virtual_network_gateway" "campus_core_virtual_network_gateway" { name = "campus-core-vngw" location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name type = "Vpn" vpn_type = "RouteBased" sku = "VpnGw1" ip_configuration { name = "vnetGatewayConfig" public_ip_address_id = azurerm_public_ip.campus_core_pip.id private_ip_address_allocation = "Dynamic" subnet_id = azurerm_subnet.gateway_subnet.id } vpn_client_configuration { address_space = ["172.16.201.0/24"] root_certificate { name = "root-cert" public_cert_data = filebase64("C:/CampusCoreRootCert.cer") } } } resource "azurerm_network_security_group" "campus_core_nsg" { name = "campus-core-nsg" location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name security_rule { name = "Allow-VPN-to-Postgres-Inbound" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "5432" source_address_prefix = "172.16.201.0/24" destination_address_prefix = "*" } security_rule { name = "Allow-VPN-to-Postgres-Outbound" priority = 101 direction = "Outbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "5432" source_address_prefix = "172.16.201.0/24" destination_address_prefix = "*" } security_rule { name = "Allow-VPN-Ping-Inbound" priority = 102 direction = "Inbound" access = "Allow" protocol = "Icmp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "172.16.201.0/24" destination_address_prefix = "*" } security_rule { name = "Allow-VPN-Ping-Outbound" priority = 103 direction = "Outbound" access = "Allow" protocol = "Icmp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "172.16.201.0/24" destination_address_prefix = "*" } security_rule { name = "Allow-DNS-Inbound" priority = 104 direction = "Inbound" access = "Allow" protocol = "Udp" source_port_range = "*" destination_port_range = "53" source_address_prefix = "172.16.201.0/24" destination_address_prefix = "*" } } resource "azurerm_subnet_network_security_group_association" "compus_core_subnet_nsg_association" { subnet_id = azurerm_subnet.campus_core_subnet.id network_security_group_id = azurerm_network_security_group.campus_core_nsg.id } resource "azurerm_private_dns_zone" "campus_core_private_dns_zone" { name = "campuscoreprivatelink.postgres.database.azure.com" resource_group_name = azurerm_resource_group.campus_core_resource_group.name depends_on = [azurerm_subnet_network_security_group_association.compus_core_subnet_nsg_association] } resource "azurerm_private_dns_a_record" "postgres_a_record" { name = "campus-core-postgres-flexible-server" # The expected FQDN prefix zone_name = azurerm_private_dns_zone.campus_core_private_dns_zone.name resource_group_name = azurerm_resource_group.campus_core_resource_group.name ttl = 300 records = ["10.0.1.4"] # Replace with the correct private IP address of your PostgreSQL server } resource "azurerm_private_dns_zone_virtual_network_link" "campus_core_private_dns_zone_virtual_network_link" { name = "campus-core-link.com" resource_group_name = azurerm_resource_group.campus_core_resource_group.name private_dns_zone_name = azurerm_private_dns_zone.campus_core_private_dns_zone.name virtual_network_id = azurerm_virtual_network.campus_core_vnet.id } resource "azurerm_postgresql_flexible_server" "campus_core_postgres_server" { name = "campus-core-postgres-flexible-server" location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name administrator_login = "adminuser" administrator_password = "adminP@assword1234" sku_name = "GP_Standard_D4s_v3" storage_mb = 32768 version = "13" backup_retention_days = 7 geo_redundant_backup_enabled = false zone = "1" # Use availability zone if needed public_network_access_enabled = false delegated_subnet_id = azurerm_subnet.campus_core_subnet.id private_dns_zone_id = azurerm_private_dns_zone.campus_core_private_dns_zone.id depends_on = [azurerm_private_dns_zone_virtual_network_link.campus_core_private_dns_zone_virtual_network_link] lifecycle { ignore_changes = [storage_mb] # Allow auto-resizing of storage } } resource "azurerm_postgresql_flexible_server_database" "ncat" { name = "ncat-database" server_id = azurerm_postgresql_flexible_server.campus_core_postgres_server.id charset = "UTF8" collation = "en_US.utf8" # lifecycle { # prevent_destroy = true # } } resource "azurerm_key_vault" "campus_core_key_vault" { name = "campus-core-key-vault" location = azurerm_resource_group.campus_core_resource_group.location resource_group_name = azurerm_resource_group.campus_core_resource_group.name enabled_for_disk_encryption = true tenant_id = data.azurerm_client_config.current.tenant_id soft_delete_retention_days = 7 purge_protection_enabled = false sku_name = "standard" access_policy { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "Get", "List", "Create", "Delete", "Update", ] secret_permissions = [ "Get", "List", "Set", "Delete", ] storage_permissions = [ "Get", ] } } -
William Kelly 5 Reputation points
2025-01-31T18:04:40+00:00 -
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor
2025-02-03T17:46:38.4333333+00:00 @William Kelly
Can you please confirm if you are still facing the issue? -
William Kelly 5 Reputation points
2025-02-03T18:09:07.4733333+00:00 Yes we are still facing this issue. Can you see the terraform and screenshots I posted? @NIKHILA NETHIKUNTA
-
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor
2025-02-05T08:07:47.76+00:00 @William Kelly
Thank you for the details.
Can you please try deploying a VM in the same VNET and confirm if you are able to access the Flexible server? -
William Kelly 5 Reputation points
2025-02-05T19:04:49.1933333+00:00 What is the best way to connect from a VM? @NIKHILA NETHIKUNTA
-
William Kelly 5 Reputation points
2025-02-05T22:53:13.07+00:00 Okay I actually was able to figure this out and connect to the database through the VM. I have established a connection. So does this tell us that the networking piece is okay, and that it has something to do with the VPN? or what does this now tell us?
-
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor
2025-02-06T14:27:05.1066667+00:00 @William Kelly
You can follow the steps mentioned here for P2S:
https://learn.microsoft.com/en-us/answers/questions/1411916/how-to-vpn-to-azure-sql-database
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#azure-private-resolver-for-on-premises-workloadsFor testing purpose, you can modify the Windows Host file.
Hope this helps. Please let us know if you have any further questions.
-
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor
2025-02-10T16:31:00.7866667+00:00 @William Kelly
Following up to see if the above suggestion was helpful. And, if you have any further query do let us know. -
William Kelly 5 Reputation points
2025-02-10T20:50:32.2566667+00:00 @NIKHILA NETHIKUNTA
I am looking through what you sent and I see that I need to create a private endpoint, but when I try to create a private endpoint through my terraform I get this error:
Private Endpoint Name: "campus-core-postgres-private-endpoint"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: PrivateEndpointFeatureNotSupportedOnServer: Call to Microsoft.DBforPostgreSQL/flexibleServers failed. Error message: The given server campus-core-postgres-flexible-server does not support private endpoint feature. Please create a new server that is private endpoint capable. Refer to https://aka.ms/pgflex-pepreview for more details.
Why is this? I haven't disabled the private endpoint capability, and my postgres server is not publicly accessible. Are private endpoints not allowed in specific regions? How do I get around this error? -
William Kelly 5 Reputation points
2025-02-10T21:03:51.9766667+00:00 I have been following this documentation for set up.
and here at this section I see that I can't interact with private link by default. However in this section it says that I can connect to my database through the VPN that I am trying to configure. I feel like I am missing just a small thing in my VPN configuration that is not allowing me to connect to my database. It doesn't seem like I can use a private endpoint according to this documentation. How do I configure my VPN correctly to be able to connect to the my postgres server? Is it possible for us to possibly set up a call to try and debug this?
-
NIKHILA NETHIKUNTA 4,525 Reputation points Microsoft Vendor
2025-02-12T07:53:46.7533333+00:00 @William Kelly
I agree that this issue looks strange and I wasn't able to reproduce this issue. If you have a support plan could you please file a support ticket for deeper investigation and do share the SR# with us?
Thanks -
William Kelly 5 Reputation points
2025-02-12T21:15:05.9166667+00:00 @NIKHILA NETHIKUNTA
Could you provide us a link to where we can submit this ticket, or could you submit one for us? I have been looking and can't seem to figure out how to submit a ticket. Also my question about the 1:1, is that possible? We would just love to get past this blocker. It is really hindering our progress on our work, and would love to get this resolved ASAP. -
William Kelly 5 Reputation points
2025-02-13T01:22:05.54+00:00 This is the option that I am selecting (through Terraform) when creating the Flexible server. I would like to keep it this way so that our database is as secure as possible.
-
William Kelly 5 Reputation points
2025-02-17T00:09:55.2733333+00:00 @NIKHILA NETHIKUNTA @Sai Raghunadh M
Any updates on where I can submit a support request or a possible 1:1? I would really love to get this solved ASAP
-
William Kelly 5 Reputation points
2025-02-17T00:34:05.8+00:00 I believe we opened a support ticket originally and they sent us here. This was the number in the email: 2501110040000243. Is this what you are looking for? An Ajay Babu was helping us, and sent us here to post this question
-
William Kelly 5 Reputation points
2025-02-19T23:22:31.72+00:00 I have created another Support Request: 2502190010002863
Sign in to comment
Sign in to answer