Skip to content

Governance Policies Azure Data Postgresql Flexible

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 2 revisions

Postgresql Flexible

Governance policies for Postgresql Flexible

Domain: azure-data

Patterns

Name Description
PostgreSQL Flexible Server with Entra auth and VNet integration Production PostgreSQL with Entra-only auth, VNet integration, HA, and diagnostics

Anti-Patterns

Description Instead
Do not expose PostgreSQL to the public internet Use VNet integration with delegated subnet or private endpoints
Do not use password authentication when Entra auth is available Set passwordAuth to Disabled and use Entra authentication

References

Checks (4)

Check Severity Description
AZ-PG-001 Required Deploy PostgreSQL Flexible Server with Microsoft Entra authentication, VNet integration, and TLS 1.2
AZ-PG-002 Required Configure Entra admin for PostgreSQL Flexible Server
AZ-PG-003 Required Enable diagnostic settings for PostgreSQL audit and slow query logs
AZ-PG-004 Recommended Enable zone-redundant high availability for production databases

AZ-PG-001

Deploy PostgreSQL Flexible Server with Microsoft Entra authentication, VNet integration, and TLS 1.2

Severity: Required
Rationale: Entra auth centralizes identity; VNet integration eliminates public exposure; TLS 1.2 prevents downgrade attacks
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.DBforPostgreSQL/flexibleServers

Companion Resources

Resource Name Purpose
Microsoft.Network/virtualNetworks/subnets snet-postgresql Delegated subnet with Microsoft.DBforPostgreSQL/flexibleServers service delegation
Microsoft.Network/privateDnsZones privatelink.postgres.database.azure.com Private DNS zone for PostgreSQL Flexible Server VNet-integrated name resolution
Microsoft.Network/privateDnsZones/virtualNetworkLinks link-pg-dns VNet link connecting the PostgreSQL private DNS zone to the virtual network
Microsoft.DBforPostgreSQL/flexibleServers/administrators entra-admin Entra ID admin assignment enabling Azure AD authentication on the server
Microsoft.Insights/diagnosticSettings diag-postgresql Diagnostic settings routing PostgreSQL logs to Log Analytics

AZ-PG-002

Configure Entra admin for PostgreSQL Flexible Server

Severity: Required
Rationale: Entra admin is required for Entra authentication to function
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.DBforPostgreSQL/flexibleServers

Companion Resources

Resource Name Purpose
Microsoft.DBforPostgreSQL/flexibleServers pg-server Parent PostgreSQL server with activeDirectoryAuth enabled in authConfig

AZ-PG-003

Enable diagnostic settings for PostgreSQL audit and slow query logs

Severity: Required
Rationale: PostgreSQL logs track queries, connections, and errors for troubleshooting and compliance
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

  • Microsoft.DBforPostgreSQL/flexibleServers

Companion Resources

Resource Name Purpose
Microsoft.OperationalInsights/workspaces log-analytics Log Analytics workspace as destination for PostgreSQL diagnostic logs

AZ-PG-004

Enable zone-redundant high availability for production databases

Severity: Recommended
Rationale: Zone-redundant HA provides automatic failover with near-zero data loss across zones
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

  • Microsoft.DBforPostgreSQL/flexibleServers

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally