Connect to Azure Private Link with the DevOps API
To better protect your database connection, you can connect to a private endpoint using the Astra DB private endpoint.
For pricing related to using private endpoints, see Pricing and billing.
The following roles can manage private endpoints:
-
Organization Administrator
-
Database Administrator
Alternatively, you can use a custom role with permissions to manage private endpoints.
Prerequisites
-
Ensure you have permission to manage private endpoints.
To increase your security, consider restricting public access to your database using the access list. |
Connect to your Azure Private Link endpoint
-
Get the allowed principal from your Azure account. This is your Subscription ID.
-
Enter your Subscription ID as the allowed principal for your private endpoints to Astra DB:
curl --request POST \ --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/private-link' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "allowedPrincipals": [ "9cbbd094-fa31-490f-863d-897d01661681" ] }'
To confirm your datacenter ID, see your database Dashboard or use the DevOps API to get all datacenter IDs within your database.
{ "serviceName": "test.a51y2a51-f9j4-4ad2-l863-67e5ac6g10m.westus2.azure.privatelinkservice", "allowedPrincipals": [ "9cbbd094-fa31-490f-863d-897d01661681" ] }
-
In your Azure Private endpoints, select Add.
-
Select your Subscription and then your Resource group for your project.
-
Enter your private endpoint name.
-
Select the region for your private endpoint. This region should match your Astra DB region.
-
Select Next: Resource.
-
Select Connect to an Azure resource by resource ID or alias as your Connection method.
-
Enter your
serviceName
as your Resource ID or alias. -
Select Next: Configuration.
-
Select your Virtual network and Subnet from the menus.
-
Select Review + create and then select Create to finish creating your private endpoint.
For more, see Create a Private Endpoint using the Azure portal. Alternatively, you can create a private endpoint using Azure CLI.
-
-
Connect your Azure private endpoint connection:
Your
endpointId
is the Resource ID for your private link endpoint, which is available in your Azure console by selecting JSON View for your private link endpoint. For example,/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/privateEndpoints/$ENDPOINT_NAME
.curl --request POST \ --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints' \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <application_token>' \ --data '{ "endpointID": "/subscriptions/a51y2a51-f9j4-4ad2-l863-67e5ac6g10m/resourceGroups/lab-resourceGroups/providers/Microsoft.Network/privateEndpoints/dev-poc", "description": "project-desc-dev-app" }'
{ "datacenters": [ { "serviceName": "test.a51y2a51-f9j4-4ad2-l863-67e5ac6g10m.westus2.azure.privatelinkservice", "allowedPrincipals": [ "9cbbd094-fa31-490f-863d-897d01661681" ], "datacenterID": "string", "endpoints": [ { "endpointID": "/subscriptions/a51y2a51-f9j4-4ad2-l863-67e5ac6g10m/resourceGroups/lab-resourceGroups/providers/Microsoft.Network/privateEndpoints/dev-poc", "description": "project-desc-dev-app", "status": "Accepted", "createdDateTime": "2021-04-10T23:00:00" } ] } ] }
-
Create a DNS entry for your private endpoint. For more, see:
Your Azure portal will show that it is in the approved
state.
Remove a private endpoint
-
Delete a private endpoint from your Astra DB:
-
Remove your connection from your Azure portal:
-
In the Azure VPC console, select Private Link Center > Private endpoints.
-
Select the checkbox beside the private endpoint you want to remove.
-
Select Remove.
Remove-AzPrivateEndpointConnection -Name myPrivateEndpointConnection1 -ResourceGroupName myResourceGroup -ServiceName myPrivateLinkServiceName
-