We are announcing today that DNS Zone linking is no longer enforced when creating Azure Database for PostgreSQL - Flexible Server.
What is Azure DNS and why I need it.
Azure Private DNS provides a reliable and secure DNS service for your virtual network. Azure Private DNS manages and resolves domain names in the virtual network without the need to configure a custom DNS solution.
When using private network access with Azure virtual network, providing the private DNS zone information is mandatory. Therefore, for new Azure Database for PostgreSQL Flexible Server creation using private network access, private DNS zones will need to be used while configuring flexible servers with private access. See more information on REST API specifications for Microsoft Azure.
For Postgres Flexible Server you create private DNS zones that end with
.postgres.database.azure.com. If you choose to use the form
[name].postgres.database.azure.com, the name can't be the name you use for one of your flexible servers or an error message will be shown during provisioning. For more information, see the private DNS zones overview.
Why link Private DNS Zone to private network (VNET)?
After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, resources hosted in that virtual network can access the private DNS zone.
To link a private DNS zone to a virtual network, follow these steps:
Sign in to the Azure portal at https://portal.azure.com.
In the search bar, search for and select Private DNS zones.
Click the name of the private zone you wish to link
Click the Virtual network links blade.
Click + Add.
Provide a name for the association because the private DNS zone can be linked with multiple virtual networks.
In the Subscription dropdown, select the subscription where the virtual network is located.
In the Virtual network dropdown, select the virtual network to make the association with. If you do not have direct access to the virtual network, and the virtual network is in a different subscription that you do not manage, select the I know the resource ID of the virtual network checkbox and obtain the full path from the other subscription owner.
If you want auto-registration of resources in the virtual network with the private DNS zone, select the checkbox. However, this will prevent the virtual network from being linked to any other private DNS zone.
You can see an example of this Azure Portal blade in figure below:
Figure 1. Private DNS Zone VNET Link Azure Portal Screen
When creating Azure Postgres Flexible Server with private networking in the past we would enforce linking before server could be created. To make experience easier for customers when creating new Azure Postgres Flexible Server with Portal we would attempt to automatically create a link between Azure Private DNS Zone customers picked in dropdown and virtual network (VNET) where server would reside. Together with the ability to create new DNS Private Zone on the fly by picking that option in DNS Zone dropdown it gave customers very flexible way to make sure their name resolution in private networking is configured correctly.
When creating Azure Database for PostgreSQL Flexible Server with private network access via programmatic methods, such as Azure API, ARM, or Terraform, customer had to create private DNS zones and link these in code in order to make sure name resolution is correct.
What changed with latest release?
However, number of customers that are deploying Hub and Spoke networking in Azure with Postgres Flexible Server that asked us to take off validation of DNS Zone linking during server creation, as they use alternative methods for name resolution linking.At the same time, number of our smaller customers do take advantage of integrated DNS link creation functionality during server creation using Azure Portal.
Therefore, it was decided to make DNS linking enforcement optional in Portal and no longer enforce presence of link between Private DNS and VNET when creating Postgres Flex Server via programmatic methods.
You can see additional checkbox added in Azure Portal Postgres Flex server networking screen that allows customer to decide whether link should be created between VNET and DNZ Zone picked in dropdown on the same screen:
Figure 2. Azure Postgres Flexible Server networking screen showing new Link DNS checkbox.
For more information on Private DNS Zones and name resolution with PostgreSQL Flexible Server using private networking see following:
- Networking overview with Azure Database for PostgreSQL - Flexible Server
- What is Virtual Network DNS Link?
- What is Azure Private DNS?
- DNS Configuration Patterns for Azure Database for PostgreSQL - Flexible Server
To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.