Background
Private Link Services will be created automatically for Clusters using Private network in Azure. We have documentation Connecting from Azure which gives an example of how to create Azure Private Endpoint in the same Azure tenant. This article introduces how to connect to the cluster with Azure Private Endpoint in a different Azure account.
High-Level Steps
Step 1 Get Alias of the Private Link Service
Step 2 Create a Private Endpoint in a different account
Step 3 Approve the connection at the Private Link Service side
Step 4 same as Creating an Azure Private DNS Zone for the private endpoint
Step 5 Same as Accessing the cluster
Example
Cluster
Account: Tenant 1
Cluster ID: p-7m89c7fmwl
Org ID: KJS1ac8Czj9EBUwb
Project ID: KJS1ac8Czj9EBUwb
Region: West US2
Linux client VM calledvm-client
:
Account: Tenant 2
Resource group:rg-client
Virtual network:vnet-client
Virtual network subnet:snet-client
If you have enabled read-only for the cluster, then you will get 2 private link services as below:
1. p-7m89c7fmwl-rw-internal-lb
2. p-7m89c7fmwl-ro-internal-lb
Please kindly apply the same steps for each private link service. Here we will use p-7m89c7fmwl-rw-internal-lb as an example.
Step 1 Get Alias of the Private Link Service
1. Go to Tenant 1's Azure Portal -> Private Link Center -> Private Link Services, and search for p-7m89c7fmwl.
2. Click Private Link Service p-7m89c7fmwl-rw-internal-lb and get the alias (we will use it later)
We can also get it from Azure CLI
❯ az network private-link-service list --query "[?name=='p-7m89c7fmwl-rw-internal-lb'].alias" -o tsv
p-7m89c7fmwl-rw-internal-lb.732bfe3c-1e39-4eaf-9104-cd58f7e1b104.westus2.azure.privatelinkservice
Step 2 Create a Private Endpoint in a different account
1. Go to Tenant 2's Azure portal, go to Private Link Center and create a Private Endpoint
2. In 'Basics' tab, choose the resource group of the VM and define the name of the Private Endpoint
3. In 'Resources' tab, you need to choose 'Connect to an Azure resource by resource ID or alias.'
4. In 'Virtual Network' tab, choose the vnet used by your VM
5. For the other tabs, there is no restriction and you can leave with the default setting.
6. Create the Private Endpoint.
Step 3 Approve the connection at Private Link Service side
1. Login to Tenant 1's portal again and find the private link service we used before
2. Go to Private Endpoint Connections and approve the connection for the private endpoint.
Step 4 Create an Azure Private DNS Zone for the private endpoint
EDB strongly recommends using a private Azure DNS zone with the private endpoint to establish a connection with a cluster. You can't validate TLS certificates using verify-full when connecting to an IP address.
The step is the same Step 2: Create an Azure Private DNS Zone for the private endpoint.
Step 5 Accessing the cluster
Get the IP address of the endpoint
NICID=$(az network private-endpoint show -n $Endpoint -g $Resource_Group --query "networkInterfaces[0].id" -o tsv) az network nic show -n ${NICID##*/} -g $Resource_Group --query "ipConfigurations[0].privateIpAddress" -o tsv
Access the cluster via IP address:
psql -h $IP_address -p 5432 -U edb_admin
Access the cluster via hostname if you completed Step 4 Create an Azure Private DNS Zone for the private endpoint.
psql -h $hostname -p 5432 -U edb_admin
Warm Reminder
Please remove the connections at Private Link Service before you want to delete the cluster or switch the network to Public. You can also delete the private endpoint directly.