Add Private Link to PostgreSQL and remove broad Azure services firewall rule

tjementum · tjementum · commit 51e46b9b67ce · 2026-03-16T01:06:54.000+01:00
diff --git a/cloud-infrastructure/cluster/grant-database-permissions.sh b/cloud-infrastructure/cluster/grant-database-permissions.sh
@@ -11,7 +11,12 @@ POSTGRES_HOST=$POSTGRES_SERVER_NAME.postgres.database.azure.com
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
-# Get an access token for PostgreSQL using the current Azure CLI identity
+export CLUSTER_RESOURCE_GROUP_NAME
+export POSTGRES_SERVER_NAME
+export DATABASE_NAME
+trap '. ./firewall.sh close' EXIT
+. ./firewall.sh open
+
 ACCESS_TOKEN=$(az account get-access-token --resource-type oss-rdbms --query accessToken --output tsv)
 
 echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (Client ID: $MANAGED_IDENTITY_CLIENT_ID) permissions on $POSTGRES_HOST/$DATABASE_NAME database"
diff --git a/cloud-infrastructure/cluster/main-cluster.bicep b/cloud-infrastructure/cluster/main-cluster.bicep
@@ -150,7 +150,10 @@ module postgresServer '../modules/postgresql-flexible-server.bicep' = {
     name: clusterResourceGroupName
     tags: tags
     tenantId: subscription().tenantId
+    subnetId: subnetId
+    virtualNetworkId: virtualNetwork.outputs.virtualNetworkId
   }
+  dependsOn: [virtualNetwork]
 }
 
 var isCustomDomainSet = domainName != ''
diff --git a/cloud-infrastructure/modules/postgresql-flexible-server.bicep b/cloud-infrastructure/modules/postgresql-flexible-server.bicep
@@ -2,6 +2,8 @@ param name string
 param location string
 param tags object
 param tenantId string
+param subnetId string
+param virtualNetworkId string
 
 resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' = {
   name: name
@@ -35,12 +37,56 @@ resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2025-08-01' =
   }
 }
 
-resource postgresVirtualNetworkRule 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2025-08-01' = {
-  parent: postgresServer
-  name: 'allow-azure-services'
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' = {
+  name: 'privatelink.postgres.database.azure.com'
+  location: 'global'
+  tags: tags
+}
+
+resource privateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = {
+  parent: privateDnsZone
+  name: '${name}-vnet-link'
+  location: 'global'
+  properties: {
+    virtualNetwork: {
+      id: virtualNetworkId
+    }
+    registrationEnabled: false
+  }
+}
+
+resource privateEndpoint 'Microsoft.Network/privateEndpoints@2025-01-01' = {
+  name: '${name}-postgres-private-endpoint'
+  location: location
+  tags: tags
+  properties: {
+    subnet: {
+      id: subnetId
+    }
+    privateLinkServiceConnections: [
+      {
+        name: '${name}-postgres-connection'
+        properties: {
+          privateLinkServiceId: postgresServer.id
+          groupIds: ['postgresqlServer']
+        }
+      }
+    ]
+  }
+}
+
+resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2025-01-01' = {
+  parent: privateEndpoint
+  name: 'default'
   properties: {
-    startIpAddress: '0.0.0.0'
-    endIpAddress: '0.0.0.0'
+    privateDnsZoneConfigs: [
+      {
+        name: 'postgres'
+        properties: {
+          privateDnsZoneId: privateDnsZone.id
+        }
+      }
+    ]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,10 @@ module postgresServer '../modules/postgresql-flexible-server.bicep' = {`
`150`	`150`	`name: clusterResourceGroupName`
`151`	`151`	`tags: tags`
`152`	`152`	`tenantId: subscription().tenantId`
	`153`	`+ subnetId: subnetId`
	`154`	`+ virtualNetworkId: virtualNetwork.outputs.virtualNetworkId`
`153`	`155`	`}`
	`156`	`+ dependsOn: [virtualNetwork]`
`154`	`157`	`}`
`155`	`158`
`156`	`159`	`var isCustomDomainSet = domainName != ''`