• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
          • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Additional resources
        • Glossary
        • Contribution guidelines
        • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra DB console
          • BYOK GCP Astra DB console
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Connecting
  • Connecting private endpoints
  • Azure Private Link

Connect to Azure Private Endpoints via Astra Portal

To better protect your database connection, you can connect to a private endpoint using Astra Portal.

For details about using API calls instead, see Connect to Azure Private Link with the DevOps API.

This information applies to only serverless databases.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

For more about Azure Private Endpoints, see What is Azure Private Endpoint?.

Prerequisites

  1. Access to your existing Azure subscription and account.

  2. Create your Astra DB database using Astra Portal.

  3. Ensure you have permission to manage private endpoints.

To increase your security, restrict public access to your database using the access list.

Creating and referencing endpoint values between Microsoft Azure portal and Astra Portal

Setting up the connection between Azure portal and Astra DB private endpoints involves a few steps in both venues.

Let’s start in Astra Portal

  1. On your organization’s Astra DB dashboard, click the link for your active, Azure-based database.

  2. Navigate to your database’s Settings tab, and notice the Private Endpoints section. At this point, no endpoints have been linked. Example:

    Astra Portal Settings tab with Private Endpoints section for Azure pre-configuration

  3. Click Configure Region and enter your Azure account’s Subscription ID. You can get the Subscription ID from your account in the Azure portal. In your account on the Azure portal, under Azure Services, click the Subscriptions icon. Copy the displayed Subscription ID.

  4. After entering the Azure Subscription ID, click Configure Region.

  5. Astra Portal displays an updated Private Endpoints section, including a generated Service Name.

  6. Click Add Endpoint.

  7. On Add Private Endpoint, copy the generated Service Name.

Notice at this point in the example, we have a generated Service Name, but do not yet have an ID from Azure’s private endpoint to paste into the Endpoint ID field:

Astra DB Add Private Endpoint form with no Endpoint ID yet

In Astra Portal, keep the Add Private Endpoint dialog open. We’ll return here with an Endpoint ID after creating it in Azure portal.

Switch over to Azure portal

  1. After authenticating into Azure portal, navigate to Create a resource.

  2. Navigate to Private Endpoint.

    Azure Create a resource private endpoint with Create button

  3. Click Create.

  4. On Basics:

    1. Select your Subscription.

    2. Specify an existing Resource group or create a new one.

    3. Give a name to your private endpoint instance.

    4. Specify the region. Note that Astra DB with Azure can perform cross-region connectivity, or both may use the same region for intra-region connectivity.)

      Azure Create Private Endpoint basics example

  5. On Resource:

    1. Select an option such as Connect to an Azure resource by resource ID or alias.

    2. Paste into Resource ID or alias the Service Name value that you copied from Astra Portal.

    3. Optionally add request message text.

      Example:

      Azure Create Private Endpoint resource example

  6. On Virtual Network:

    1. Choose a Virtual network

    2. Choose a Subnet

      Example with defaults:

      Azure Create Private Endpoint configuration example

  7. On DNS, decide if you want to integrate with a private DNS zone.

    Azure Create Private Endpoint DNS example _

  8. On Tags, optionally enter name/value pairs to categorize resources and subsequently view consolidate billing. Example:

    Azure Create Private Endpoint tags example

  9. On Review and create, check the settings you’ve entered. Example:

    Azure Create Private Endpoint review and create example

    If the values are acceptable, click Create.

  10. Once validated, Azure portal displays a summary page for the added private endpoint. Copy the generated endpoint’s Resource ID, which you’ll later paste into the Add Private Endpoint dialog in Astra Portal. To get the Resource ID:

    1. Click Go to resource and navigate to the Properties page for the private endpoint; copy the Resource ID to your clipboard.

    2. Or download the deployment.json file provided by Azure portal — on your created private endpoint’s page — and look for the primaryResourceId value. Format example:

      /subscriptions/<your alphanumeric values here>/resourcegroups/astra-db-azure-private-endpoint-test-westus/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint

Return to Astra Portal

Back in Astra Portal, return to the Add Private Endpoint dialog that’s available from your databases’s Settings.

  1. In the Endpoint ID form field, paste in the copied Resource ID value. Also enter a brief description for your Astra DB / Azure endpoint.

  2. Click Add Endpoint.

    Astra DB displays the result. Example:

    Astra DB Settings Private Endpoint connection completed

Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.

You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the IP Access List options in Astra Portal Settings. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.

Create a DNS entry for your private endpoint

You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:

  1. Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.

  2. Unzip the secure connect bundle.

  3. In config.json, copy the host key’s value.

  4. In Azure portal, for your private endpoint, create a DNS entry for the key host value and map it to your virtual IP address. Update the domains to use REST and CQL. Examples:

    • REST

    • CQL

    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com

    For detailed steps, see Quickstart: Create an Azure private DNS zone using the Azure portal.

Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.

Remove a private endpoint

In Azure portal:

  1. In Azure portal, navigate to your private endpoint resource.

  2. Click the Delete icon.

In Astra Portal:

  1. Go to the Settings tab for your database.

  2. Choose the endpoint you want to remove.

  3. Click Delete.

What’s next?

  • Refer to related topics for other cloud providers that are linked from Connect via a private endpoint.

  • Learn how to Manage access lists for public access.

  • For more about Azure Private Endpoints, see What is Azure Private Endpoint?.

AWS Private Link GCP Private Endpoints

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage