1

I am trying to run FusionAuth inside an Azure Container App and use Azure Postgresql Flexible Server for its configuration. I can access the FusionAuth instance via the Azure URL and it comes up with the maintenance mode screen for me to configure the database.I am having trouble though connecting to the Azure PostgreSql instance.

I have added the Container Apps Environment to a Virtual Network and configured the Azure PostgreSql server to use a subnet. I have delegated the Postgres instance to that subnet and a private dns zone.

Everything deploys fine via Bicep with no errors but I still can't connect to the database from the container app.

Has anyone done this or something similar? Should I be using managed identities instead?

I'm a programmer not a DevOps person so this is pretty alien to me. Any help welcome. I can share Bicep files etc if required.

Some extra info:

The vNet has one subnet in which the PostgreSql is assigned and delegated. The container app environment is just configured with the vNet.

The FusionAuth container app ingress allows traffic from anywhere, should this be VNet??

I currently do not have any firewall rules. Examples I have looked at don't seem to use them.

Would I still need the vNet if I used Managed Identities?

Improve this question
7
  • Have you 1. Linked the DNS zone to the VNet? 2. Added a firewall rule to allow connections from the container subnet in your Postgre resource -> Networking, 3. Checked you're using the private dns name of your server in your connection string, not the public one? Commented Jun 18, 2024 at 0:32
  • 1) Yes 2) No - do I need this. 3) Where can I see the private name? Happy to do a share session if can help? Commented Jun 18, 2024 at 0:47
  • Perhaps this is the problem link. I already created the CAE, so it will have its own VNET which can only reach internet enabled endpoints. I think I need to re-create the environment but use existing VNET. Commented Jun 18, 2024 at 2:10
  • You do need a rule in Postgre, yes. Go to your resource in Portal, select connection security, then you will see Vnet rules. Select add existing Vnet then select your container vnet. You do need to private dns name. You can find this either by going to your private dns zone and looking at records, or it may be on the Postgre overview page. Your CAE is probably fine. Networking likely ok as long as you peered the networks. You could also use the same vnet as posygre just a different subnet, but not sure what your requirements are. Commented Jun 18, 2024 at 3:50
  • If the container app environment vNetConfiguration is set to internal:true does this mean that there is no external internet access to any of the apps inside the container environment? Commented Jun 18, 2024 at 20:56

1 Answer 1

Reset to default
0

If you want to use Consumption Only container app environment, then do NOT include the workloadProfile section in the subnet Bicep configuration. This means you don't need to add delegations.

I ended up setting up a Private Endpoint on my PostgreSql Flexible Server resource (with all the additional trimmings of Private Dns Zone, Private Dns Group etc) onto the Container Apps VNET, thus giving access from CAE to Postgres. I can then turn off Public Access to Postgres.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.