Option for allow access to Azure services configuraion

Question

Option for allow access to Azure services configuraion

xabikos opened this issue 6 years ago · 10 comments

When creating the server in the portal there is an extra option in the UI to add a security setting in order to allow azure services to connect to the server, as showing below

I couldn't find the equivalent option through the ARM template.

Answer 1 · 2019-02-14T03:55:44.000Z

Welcome to my personal hell @xabikos.

Based on my inspection of the firewall rules, this appears to set a firewall rule with the following properties:

Name: AllowAllWindowsAzureIps
Start IP Address: 0.0.0.0
End IP Address: 0.0.0.0

This is documented in the Azure SQL docs: https://docs.microsoft.com/en-us/rest/api/sql/firewallrules/createorupdate#request-body

But not so much in the PostgreSQL docs: https://docs.microsoft.com/en-us/rest/api/postgresql/firewallrules/createorupdate#request-body

As an aside, I've deployed Azure Database for PostgreSQL with both ARM Templates and Terraform (which just calls the Azure CLI under the hood) with that firewall rule defined, and it regularly doesn't work. My App Service cannot communicate with the PostgreSQL database. I need to go into the Azure Portal and manually toggle the button above between OFF and ON in order to make it work correctly.

@rachel-msft (tagging you because you've touched this repo last): is there a path to providing this type of feedback that is better? Looks like none of the issues in this repository have been interacted with ever. I want to make sure that I'm doing this correctly, but it seems like even the CLI doesn't always work here.

Answer 2 · 2019-02-14T05:13:41.000Z

Hi @afmorris,

Could you please provide the command/lines you use to set this in ARM and in Terraform?

Answer 3 · 2019-02-14T14:14:57.000Z

Hi @rachel-msft:

I've used the PostgreSQL Firewall Rules to intermittent results with both ARM and Terraform. Admittedly, I use Terraform more as I can work with resource groups more effectively (and it's significantly less verbose), so most of my experience is with Terraform/Azure CLI. This may be just an issue with the Azure CLI at the end of the day.

Terraform Resource: azurerm_postgresql_firewall_rule
Sample Definition:

resource "azurerm_postgresql_firewall_rule" "azure" {
  name                = "AllowAllWindowsAzureIps"
  resource_group_name = "${var.resource_group_name}"
  server_name         = "${azurerm_postgresql_server.default.name}"
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}

ARM Resource: Microsoft.DBforPostgreSQL/servers/firewallRules
Sample Definition:

{
	"comments": "Generalized from resource: '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-rg/providers/Microsoft.DBforPostgreSQL/servers/my-db/firewallRules/AllowAllWindowsAzureIps'.",
	"type": "Microsoft.DBforPostgreSQL/servers/firewallRules",
	"name": "[concat(parameters('servers_default_db_name'), '/', parameters('firewallRules_AllowAllWindowsAzureIps_name'))]",
	"apiVersion": "2017-12-01-preview",
	"scale": null,
	"properties": {
		"startIpAddress": "0.0.0.0",
		"endIpAddress": "0.0.0.0"
	},
	"dependsOn": [
		"[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('servers_default_db_name'))]"
	]
},

Answer 4 · 2019-02-15T00:14:45.000Z

Thank you for the info @afmorris. Since I have a similar open doc issue, I'll track progress there: MicrosoftDocs/azure-docs#20758

Answer 5 · 2019-02-15T14:07:31.000Z

Thanks @rachel-msft! I'm just glad to know I'm not crazy here...

Answer 6 · 2020-05-26T08:49:01.000Z

with AzureRM 2.0 provider in terraform, it's impossible to apply the example above o.O
I also thought I can use the "0.0.0.0", but when tried it errors with

Error: postgresql.FirewallRulesClient#CreateOrUpdate: Failure sending request: StatusCode=405 -- Original Error: Code="FeatureSwitchNotEnabled" Message="Requested feature is not enabled"

  on postgres.tf line 44, in resource "azurerm_postgresql_firewall_rule" "vnet":
  44: resource "azurerm_postgresql_firewall_rule" "vnet" {

Answer 7 · 2020-06-22T11:17:39.000Z

@Dmitry1987 check the parameter public_network_access_enabled of PostgreSQL Server

# Create Postgres Server
resource "azurerm_postgresql_server" "this" {
  ...
  public_network_access_enabled = true
}

# Create Postgres Server Firewall Rule
resource "azurerm_postgresql_firewall_rule" "psql_fw" {
  name                = "AllowAccessToAzureServices"
  resource_group_name = azurerm_resource_group.this.name
  server_name         = azurerm_postgresql_server.this.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "0.0.0.0"
}

Answer 8 · 2020-06-22T15:56:08.000Z

Thanks @SimonGolms
is it only possible if it open to public access? I need to keep it private, the database has to be only accessible inside VNET subnets. That's pretty bad we have to open it to public, in order to apply a rule for other Azure service endpoints :( is it the only way?

Answer 9 · 2020-06-22T19:47:24.000Z

For private access only, you would use VNET only. That way only resources in your virtual network can access the server.
If you want resources that are outside your virtual network to access the server, that's where the public firewall rules option or Azure private link come into play.

Answer 10 · 2020-10-01T17:02:12.000Z

For private access only, you would use VNET only.
That way only resources in your virtual network can access the server.

I'd expect the azurerm_postgresql_virtual_network_rule to be the resource to achieve such access, but it seems to suffer from the FeatureSwitchNotEnabled issue too, see hashicorp/terraform-provider-azurerm#8534