Add firewall rules

With public access enabled, you can configure firewall rules to allow connections originating from specific IP addresses, or from any Azure service.

Portal

Using the Azure portal:

1. Select your Azure Database for PostgreSQL flexible server.

2. In the resource menu, select Overview.

   

3. The status of the server must be Available, for the Networking menu option to be enabled.

   

4. If the status of the server isn't Available, the Networking option is disabled.

   

Note

Any attempt to configure the networking settings of a server whose status is other than available, would fail with an error.

5. In the resource menu, select Networking.

   

6. If you want to create a firewall rule to allow connections originating from the public IP address of the client machine that you're using to connect to navigate the portal, select Add current client IP address (###.###.###.###).

   

7. A new firewall rule is added to the grid. Its Firewall rule name is automatically generated, but you can change it to any valid name of your preference. Start IP address and End IP address are set to the public IP address from which you're connected to the Azure portal.

   

8. If you want to create a firewall rule to allow connections originating from any public IP address, select Add 0.0.0.0 / 255.255.255.255.

   

9. If you want to create a firewall rule to allow connections originating from any IP address allocated to any Azure service or asset, select Allow public access from any Azure service within Azure to this server.

   

Important

Allow public access from any Azure service within Azure to this server creates a firewall rule whose start and end IP addresses are set to 0.0.0.0. The presence of such rule configures the firewall to allow connections from IP addresses allocated to any Azure service or asset, including connections from the subscriptions of other customers.

10. Select Save.

    

11. A notification informs you that the changes are being applied.

    

12. Also, the status of the server changes to Updating.

    

13. When the process completes, a notification informs you that the changes were applied.

    

14. Also, the status of the server changes to Available.

    

CLI

You can add firewall rules to a server via the az postgres flexible-server firewall-rule create command.

az postgres flexible-server firewall-rule create --resource-group <resource_group> --name <server> --rule-name <rule> --start-ip-address <start_ip_address> --end-ip-address <end_ip_address>

If you attempt to add a firewall rule on a server which isn't in Available state, you receive an error like this:

Code: InternalServerError
Message: An unexpected error occured while processing the request. Tracking ID: '<tracking_id>'

Note

Firewall rule names can only contain 0-9, a-z, A-Z, -, and _. Additionally, the name of the firewall rule must be at least 3 characters, and no more than 128 characters in length.

If you attempt to add a firewall rule with an invalid name, you receive an error like this:

The firewall rule name can only contain 0-9, a-z, A-Z, '-' and '_'. Additionally, the name of the firewall rule must be at least 3 characters and no more than 128 characters in length. 

If you attempt to add a firewall rule with a name that matches the name of another existing firewall rule, you don't receive an error, but the rule is updated with the values provided for --start-ip-address and --end-ip-address.

If you pass an invalid IP address for the --start-ip-address and --end-ip-address parameters, you receive an error like this:

Incorrect value for ip address. Ip address should be IPv4 format. Example: 12.12.12.12.

If you pass a value for --start-ip-address which is bigger than the value passed --end-ip-address, you receive an error like this:

The end IP address is smaller than the start IP address.

If you attempt to add a firewall rule to a server that doesn't have public access enabled, you receive an error like this:

Firewall rule operations cannot be requested for a private access enabled server.

Note

Although not recommended, you can create multiple firewall rules with different names and either overlapping IP ranges, or even matching start and end IP addresses.

To allow public access, from any Azure service within Azure, to your server, you must create a firewall rule whose start and end IP addresses are both set to 0.0.0.0.

Important

When you configure a rule in the firewall with start and end IP addresses set to 0.0.0.0, it configures the firewall to allow connections from IP addresses allocated to any Azure service or asset, including connections from the subscriptions of other customers.

Related content

• Networking.
• Enable public access.
• Disable public access.
• Delete firewall rules.
• Add private endpoint connections.
• Delete private endpoint connections.
• Approve private endpoint connections.
• Reject private endpoint connections.