Azure VPC peering

You can use Microsoft Azure virtual network peering for C-tier and D-tier Classic databases hosted on Azure.

Prerequisites

  • An active Astra DB Classic database.

  • Administrative access or the ability to create virtual networks in your Azure account.

Create the virtual network

Establish the peering connection

To establish a peering connection for Azure and grant an Enterprise Application managed by Astra access to a peering connection, use the Azure CLI to run the following commands:

  1. Create a Service Principal in your Azure subscription for an existing Astra-managed Enterprise Application. The client to create connections is always 6f77e2ba-39c1-499f-93e1-afe815384a8f.

    - az ad sp create --id 6f77e2ba-39c1-499f-93e1-afe815384a8f

  2. Create a role.json file that defines the Service Principal’s required permissions to create a peering connection, get the status of the peering connection, and delete the connection:

    {
  "Name": "ROLE_NAME",
  "IsCustom": true,
  "Description": "ROLE_DESCRIPTION",
  "Actions": [
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
    "Microsoft.Network/virtualNetworks/peer/action"
  ],
  "AssignableScopes": [
    "/subscriptions/AZURE_SUBSCRIPTION_ID/resourceGroups/AZURE_RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/AZURE_VIRTUAL_NETWORK_NAME"
  ]
}

    Replace the following:

    • ROLE_NAME: The name of the role defined in role.json. The role’s name can be anything, but whatever must match the <ROLE_NAME> when assigning the role with the az command.

    • ROLE_DESCRIPTION: The description of the role defined in role.json. The description can also be anything. Astra doesn’t use this description.

    • AZURE_SUBSCRIPTION_ID: The Azure subscription to which you will peer the Astra DB cluster.

    • AZURE_RESOURCE_GROUP_NAME: The Resource Group to which you will peer the Astra DB cluster.

    • AZURE_VIRTUAL_NETWORK_NAME: The Virtual Network to which you will peer the Astra DB cluster.

  3. Using role.json definitions, create a role in your subscription:

    - az role definition create --role-definition role.json

  4. Assign the new role to a service principal to your virtual network’s scope:

    - az role assignment create --role "ROLE_NAME" --assignee 6f77e2ba-39c1-499f-93e1-afe815384a8f --scope "/subscriptions/AZURE_SUBSCRIPTION_ID/resourceGroups/AZURE_RESOURCE_GROUP_NAME/providers/Microsoft.Network/virtualNetworks/AZURE_VIRTUAL_NETWORK_NAME"

Enable the connection in Astra

To enable the VPC peering connection in Astra, you need to attach the connection to your database, download the internal secure connect bundle for use with your VPC peering connection, and add your peering connection to your database’s IP access list.

  • Astra Portal

  • DevOps API

  1. In the Astra Portal navigation menu, click Databases, and then click the name of your database.

  2. Click Add Peering Connection.

  3. For Azure Tenant ID, enter the Azure tenant that your subscription belongs to.

  4. For Azure Subscription ID, Azure Resource Group Name, and Azure Virtual Network Name, enter the corresponding values from your role.json file.

  5. Click Initiate.

  6. After you initiate peering, click Download secure connect bundle for internal VPC network.

  7. Use the internal secure connect bundle to connect to the Astra DB database. This ensures the connection is routed through private IP addresses, not the open internet.

    You can use the internal secure connect bundle in the same way that you use a standard secure connect bundle to connect to your database.

  8. Add the VPC connection’s CIDR block to the database IP access list to ensure your application isn’t disconnected.

  1. Use the DevOps API to get VPC peering connection details for a database:

    curl -sS -L -X GET "https://api.astra.datastax.com/v2/peering/provider/azure/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

    Replace the following:

  2. Use the DevOps API to create a VPC peering connection for a database:

    curl -sS -L -X POST "https://api.astra.datastax.com/v2/peering/provider/azure/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"
--data '{
  "tenantId": "AZURE_TENANT_ID",
  "subscriptionId": "AZURE_SUBSCRIPTION_ID",
  "resourceGroupName": "AZURE_RESOURCE_GROUP_NAME",
  "virtualNetworkName": "AZURE_VIRTUAL_NETWORK_NAME"
}'

    Replace the following:

    • DATABASE_ID: The database ID.

    • APPLICATION_TOKEN: An application token with the Database Administrator role.

    • AZURE_TENANT_ID: The Azure tenant that your subscription belongs to.

    • AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP_NAME, and AZURE_VIRTUAL_NETWORK_NAME: Enter the corresponding values from your role.json file.

      Result

      A successful request returns an object describing the new VPC peering connection:

      {
  "connectionId": "PEERING_CONNECTION_UUID",
  "status": "CONNECTION_STATUS",
  "currentVpc": {
    "provider": "azure",
    "account": "AZURE_SUBSCRIPTION_ID",
    "vpcId": "VPC_UUID",
    "cidrBlock": "137.187.23.0/24"
  },
  "otherVpc": {
    "provider": "azure",
    "account": "AZURE_SUBSCRIPTION_ID",
    "vpcId": "VPC_UUID",
    "cidrBlock": "137.187.23.0/24"
  }
}

  3. Download the secure connect bundle to connect to the Astra DB database. This internal secure connect bundle ensures the connection is routed through private IP addresses, not the open internet.

    You can use the internal secure connect bundle in the same way that you use a standard secure connect bundle to connect to your database.

  4. Add the VPC connection’s CIDR block to the database IP access list to ensure your application isn’t disconnected.

Remove a VPC peering connection

  1. Use the DevOps API to delete a VPC peering connection for a database:

    curl -sS -L -X DELETE "https://api.astra.datastax.com/v2/peering/provider/azure/database/DATABASE_ID" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"

  2. If applicable, remove the disconnected peering connection from Azure.

Troubleshoot Azure VPC peering connections

If you get a Conflict Error: RemotePeeringIsDisconnected as the status for your peering connection, there is an existing Astra peering connection in your Azure virtual network in a Disconnected state. You must remove this peering connection to allow Astra to initiate a new, successful peering request. To resolve the issue, do the following:

  1. Delete the disconnected peering connection from your Azure virtual network.

  2. Delete the peering configuration from your Astra DB database.

  3. Repeat the process to establish a peering connection and enable it in Astra.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com