Azure PostgreSQL

This page describes how to securely connect a Ververica Cloud workspace to **Azure Database for PostgreSQL – using a private connection.

This procedure uses a User-Assigned Managed Identity (UAMI) with a Federated Credential, which enables Azure AD Workload Identity. This pattern allows Ververica Cloud to authenticate to Azure without client secrets or stored credentials.

Prerequisites

Before you begin, ensure you have the following:

• An active Azure subscription where you can create resources. The Microsoft.Network resource provider must be registered.
• An existing resource group to deploy the resources into.
• Permissions in Azure to create PostgreSQL servers, User-Assigned Managed Identities, and create/assign custom RBAC roles at the subscription (or resource-group) scope (e.g., Owner or User Access Administrator).
• Access to your Ververica Cloud workspace to retrieve identity provider values and create the final connection.
• Azure resources in the same region as your Ververica Cloud workspace’s data-plane. Private Link is regional; it cannot span Azure regions.

Phase 1: Provision Core Azure Resources

First, create the PostgreSQL server and the managed identity that will act on behalf of your Ververica workload.

Step 1: Create a PostgreSQL Server

1. In the Azure Portal, navigate to Azure Database for PostgreSQL → and click + Create.

2. On the Basics tab, fill in the required details:

   • Subscription: Select your target subscription.
   • Resource group: Choose the appropriate resource group.
   • Server name: Enter a globally unique name.
   • Region: Select the Azure region for your server.
   • PostgreSQL version: Choose the version required by your apps.
   • Compute + storage: Choose a size appropriate for your workload.
   • Admin username / password: Record these securely (database auth is handled separately from the UAMI).

3. On the Networking tab, you can leave Public access enabled temporarily for initial provisioning and testing. You can restrict/disable public access after private connectivity is verified.

4. Proceed to Review + create, then click Create.

Step 2: Create a User-Assigned Managed Identity (UAMI)

info

If you plan to configure multiple private connections (for Event Hubs, Blob, PostgreSQL, etc.), reuse the same UAMI for every Azure resource. This simplifies RBAC and avoids hitting federated-credential limits.

1. In the Azure Portal, search for and select Managed Identities.

2. Click + Create.

3. On the Basics tab, provide the following:

   • Subscription: Select the same subscription used for your PostgreSQL server.
   • Resource group: Select the same resource group.
   • Region: Select the same region.
   • Name: Provide a descriptive name.

4. Click Review + create, then Create.

Phase 2: Configure Permissions and Trust

For PostgreSQL, a custom role is required to grant the UAMI the minimum permissions to approve and manage Private Endpoint connections, without granting broad privileges.

Step 3: Create a Custom RBAC Role

1. In the Azure Portal, navigate to Subscriptions and select your scope.

2. Go to Access control (IAM) → + Add → Add custom role.

3. On the Basics tab, give the role a Custom role name (e.g., Ververica PostgreSQL Private Endpoint).

4. Go to the JSON tab and click Edit.

5. Add the following JSON block to the code snippet. This provides the minimum actions required for managing the private endpoint connection on PostgreSQL.

   "permissions": [
     {
       "actions": [
         "Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/read",
         "Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/write",
         "Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/delete"
       ],
       "notActions": [],
       "dataActions": [],
       "notDataActions": []
     }
   ]

6. Click Save, then proceed to Review + create, and finally Create the custom role.

Scope note: Assign this custom role at the subscription or resource-group scope that contains your PostgreSQL server. (Server-level assignment is not supported for custom roles in this scenario.)

Step 4: Assign the Custom Role to the UAMI

1. At the same scope where you created the role (subscription or resource group), open Access control (IAM).
2. Click + Add → Add role assignment.
3. Select the custom role you created (e.g., Ververica PostgreSQL Private Endpoint).
4. On the Members tab, choose Managed identity → + Select members and pick the UAMI created in Step 2.
5. Click Review + assign to apply the role.

Step 5: Create the Federated Credential

This step establishes the trust relationship between the UAMI in Azure and the Ververica Cloud service account.

1. In your Ververica Cloud workspace, go to Configurations → Private Connections.

2. Under Connection Details, copy the Cluster Issuer URL, Namespace, and Service Account values.

3. In the Azure Portal, navigate to your Managed Identity.

4. Select Settings → Federated credentials and click + Add Credential.

5. For Federated credential scenario, select Kubernetes accessing Azure resources.

6. Paste the values from Ververica Cloud into the corresponding fields:

   • Cluster issuer URL: Cluster Issuer URL value
   • Namespace: Namespace value
   • Service account name: Service Account value

7. Give the credential a descriptive Name and click Add.

Phase 3: Finalize in Ververica Cloud

Complete the setup by registering the identity in Ververica and creating the connection object.

Step 6: Register the Azure Identity in Ververica

1. In the Azure Portal, go to your UAMI’s Settings → Properties page.

2. Copy the Client ID and Tenant ID.

3. In Ververica Cloud (Configurations → Private Connections), paste the IDs into:

   • Azure Identity Provider Client ID
   • Current Azure Identity Provider Tenant ID

4. Click Save. The status should become Ready.

Step 7: Create the Private Connection

1. In the Ververica Cloud Private Connections tab, click + New Private Connection.

2. Configure the details:

   • Connector Type: Select Azure Database for PostgreSQL.

   • Connection Name: Enter a name (e.g., postgresql-connection).

   • Service Name: Paste the Resource ID of your PostgreSQL. To find the Resource ID: In the Azure Portal, open the server and use JSON View on the Overview page to copy the id value, for example:

     /subscriptions/<subId>/resourceGroups/<rg>/providers/Microsoft.DBforPostgreSQL/flexibleServers/<serverName>

3. Click Save. After a brief period, the status should update to Created.

Step 8: Verify the Connection in Azure

Finally, confirm that the private endpoint was created and approved for your PostgreSQL server.

1. Navigate to your PostgreSQL in the Azure Portal.
2. From the left menu, select Networking.
3. Open Private endpoint connections.
4. You should see a private endpoint with a Connection state of Approved.
5. Verify DNS: the host <serverName>.postgres.database.azure.com should resolve to a private IP (via the Private DNS zone privatelink.postgres.database.azure.com if not auto-managed).
6. (Recommended) Disable or restrict Public access on the Networking page once private access is verified.