I'm working with a multi-tenant AKS cluster where each app team only has access to their specific namespace and can't access our virtual network (VNet) or subscription. Recently, one team set up their own Azure Postgres and wants to connect it from their AKS pods. Our cluster is a private one, meaning all AKS subnet traffic goes through a firewall before reaching the internet. The app team created a firewall rule allowing traffic from our AKS subnet to their Postgres IP (e.g., 6.3.5.89) on port 5432, but they're still having connection issues. Is there a way to make this work using private endpoints? They cannot create private endpoints in our VNet due to access restrictions. Any suggestions on how we can achieve this?
1 Answer
Your setup sounds reasonable! We have managed to connect AKS private clusters to various private endpoint resources, including Postgres. One thing to check is whether your Azure Postgres instance has a private endpoint configured. Make sure that it is set up to allow connections from the public IP of your firewall.
Could you share more details on how you did it? Are your AKS and Postgres in different subscriptions, and do you use a private endpoint for the connection? Where do you create the private endpoint, in the AKS subnet or in the Postgres subnet?