Connect to Azure Private Endpoints via Astra Portal
To better protect your database connection, you can connect to a private endpoint using Astra Portal.
For details about using API calls instead, see Connect to Azure Private Link with the DevOps API.
This information applies to only serverless databases. |
For pricing related to using private endpoints, see Pricing and billing.
The following roles can manage private endpoints:
-
Organization Administrator
-
Database Administrator
Alternatively, you can use a custom role with permissions to manage private endpoints.
For more about Azure Private Endpoints, see What is Azure Private Endpoint?.
Prerequisites
-
Access to your existing Azure subscription and account.
-
Create your Astra DB database using Astra Portal.
-
Ensure you have permission to manage private endpoints.
To increase your security, restrict public access to your database using the access list. |
Creating and referencing endpoint values between Microsoft Azure portal and Astra Portal
Setting up the connection between Azure portal and Astra DB private endpoints involves a few steps in both venues.
Let’s start in Astra Portal
-
On your organization’s Astra DB dashboard, click the link for your active, Azure-based database.
-
Navigate to your database’s Settings tab, and notice the Private Endpoints section. At this point, no endpoints have been linked. Example:
-
Click Configure Region and enter your Azure account’s Subscription ID. You can get the Subscription ID from your account in the Azure portal. In your account on the Azure portal, under Azure Services, click the Subscriptions icon. Copy the displayed Subscription ID.
-
After entering the Azure Subscription ID, click Configure Region.
-
Astra Portal displays an updated Private Endpoints section, including a generated Service Name.
-
Click Add Endpoint.
-
On Add Private Endpoint, copy the generated Service Name.
Notice at this point in the example, we have a generated Service Name, but do not yet have an ID from Azure’s private endpoint to paste into the Endpoint ID field:
In Astra Portal, keep the Add Private Endpoint dialog open. We’ll return here with an Endpoint ID after creating it in Azure portal. |
Switch over to Azure portal
-
After authenticating into Azure portal, navigate to Create a resource.
-
Navigate to Private Endpoint.
-
Click Create.
-
On Basics:
-
Select your Subscription.
-
Specify an existing Resource group or create a new one.
-
Give a name to your private endpoint instance.
-
Specify the region. Note that Astra DB with Azure can perform cross-region connectivity, or both may use the same region for intra-region connectivity.)
-
-
On Resource:
-
Select an option such as
Connect to an Azure resource by resource ID or alias
. -
Paste into Resource ID or alias the Service Name value that you copied from Astra Portal.
-
Optionally add request message text.
Example:
-
-
On Virtual Network:
-
Choose a Virtual network
-
Choose a Subnet
Example with defaults:
-
-
On DNS, decide if you want to integrate with a private DNS zone.
_
-
On Tags, optionally enter name/value pairs to categorize resources and subsequently view consolidate billing. Example:
-
On Review and create, check the settings you’ve entered. Example:
If the values are acceptable, click Create.
-
Once validated, Azure portal displays a summary page for the added private endpoint. Copy the generated endpoint’s Resource ID, which you’ll later paste into the Add Private Endpoint dialog in Astra Portal. To get the Resource ID:
-
Click Go to resource and navigate to the Properties page for the private endpoint; copy the Resource ID to your clipboard.
-
Or download the
deployment.json
file provided by Azure portal — on your created private endpoint’s page — and look for the primaryResourceId value. Format example:/subscriptions/<your alphanumeric values here>/resourcegroups/astra-db-azure-private-endpoint-test-westus/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint
-
Return to Astra Portal
Back in Astra Portal, return to the Add Private Endpoint dialog that’s available from your databases’s Settings.
-
In the Endpoint ID form field, paste in the copied Resource ID value. Also enter a brief description for your Astra DB / Azure endpoint.
-
Click Add Endpoint.
Astra DB displays the result. Example:
Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.
You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the IP Access List options in Astra Portal Settings. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists. |
Create a DNS entry for your private endpoint
You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:
-
Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.
-
Unzip the secure connect bundle.
-
In
config.json
, copy thehost
key’s value. -
In Azure portal, for your private endpoint, create a DNS entry for the key
host
value and map it to your virtual IP address. Update the domains to use REST and CQL. Examples:efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com
For detailed steps, see Quickstart: Create an Azure private DNS zone using the Azure portal.
Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.
Remove a private endpoint
In Azure portal:
-
In Azure portal, navigate to your private endpoint resource.
-
Click the Delete icon.
In Astra Portal:
-
Go to the Settings tab for your database.
-
Choose the endpoint you want to remove.
-
Click Delete.
What’s next?
-
Refer to related topics for other cloud providers that are linked from Connect via a private endpoint.
-
Learn how to Manage access lists for public access.
-
For more about Azure Private Endpoints, see What is Azure Private Endpoint?.