Connect to Azure Private Endpoints via Astra DB console

To better protect your database connection, you can connect to a private endpoint using the Astra DB console.

For details about using API calls instead, see Connect to Azure Private Link with the DevOps API.

This information applies to only serverless databases.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

For more about Azure Private Endpoints, see What is Azure Private Endpoint?.

Prerequisites

  1. Access to your existing Azure subscription and account.

  2. Create your Astra DB database using the Astra DB console.

  3. Ensure you have permission to manage private endpoints.

To increase your security, restrict public access to your database using the access list.

Creating and referencing endpoint values between Azure portal and Astra DB console

Setting up the connection between Azure portal and Astra DB private endpoints involves a few steps in both venues.

Let’s start in Astra DB console

  1. On your organization’s Astra DB dashboard, click the link for your active, Azure-based database.

  2. Navigate to your database’s Settings tab, and notice the Private Endpoints section. At this point, no endpoints have been linked. Example:

    Astra DB console Settings tab with Private Endpoints section for Azure pre-configuration
  3. Click Configure Region and enter your Azure account’s Subscription ID. You can get the Subscription ID from your account in the Azure console. In your account on link:https://portal.azure.com/#homethe Azure console Home page, under Azure Services, click the Subscriptions icon. Copy the displayed Subscription ID.

  4. After entering the Azure Subscription ID, click Configure Region.

  5. Astra DB console displays an updated Private Endpoints section, including a generated Service Name.

  6. Click Add Endpoint.

  7. On Add Private Endpoint, copy the generated Service Name.

Notice at this point in the example, we have a generated Service Name, but do not yet have an ID from Azure’s private endpoint to paste into the Endpoint ID field:

Astra DB Add Private Endpoint form with no Endpoint ID yet

In Astra DB console, keep the Add Private Endpoint dialog open. We’ll return here with an Endpoint ID after creating it in Azure console.

Switch over to Azure portal

  1. After authenticating into Azure portal, navigate to Create a resource.

  2. Navigate to Private Endpoint.

    Azure Create a resource private endpoint with Create button
  3. Click Create.

  4. On Basics:

    1. Select your Subscription.

    2. Specify an existing Resource group or create a new one.

    3. Give a name to your private endpoint instance.

    4. Specify the region. Note that Astra DB with Azure can perform cross-region connectivity, or both may use the same region for intra-region connectivity.)

      Azure Create Private Endpoint basics example
  5. On Resource:

    1. Select an option such as Connect to an Azure resource by resource ID or alias.

    2. Paste into Resource ID or alias the Service Name value that you copied from Astra DB console.

    3. Optionally add request message text.

      Example:

      Azure Create Private Endpoint resource example
  6. On Configuration:

    1. Choose a Virtual network

    2. Choose a Subnet

      Example with defaults:

      Azure Create Private Endpoint configuration example
  7. On Tags, optionally enter name/value pairs to categorize resources and subsequently view consolidate billing. Example:

    Azure Create Private Endpoint tags example
  8. On Review and create, check the settings you’ve entered. Example:

    Azure Create Private Endpoint review and create example

    If the values are acceptable, click Create.

  9. Once validated, Azure console displays a summary page for the added private endpoint. Copy the generated endpoint’s Resource ID, which you’ll later paste into the Add Private Endpoint dialog in Astra DB console. To get the Resource ID:

    1. Click Go to resource and navigate to the Properties page for the private endpoint; copy the Resource ID to your clipboard.

    2. Or download the deployment.json file provided by Azure console — on your created private endpoint’s page — and look for the primaryResourceId value. Format example:

      /subscriptions/<your alphanumeric values here>/resourcegroups/astra-db-azure-private-endpoint-test-westus/providers/Microsoft.Network/privateEndpoints/myPrivateEndpoint

Return to Astra DB console

Back in Astra DB console, return to the Add Private Endpoint dialog that’s available from your databases’s Settings.

  1. In the Endpoint ID form field, paste in the copied Resource ID value. Also enter a brief description for your Astra DB / Azure endpoint.

  2. Click Add Endpoint.

    Astra DB displays the result. Example:

    Astra DB Settings Private Endpoint connection completed

Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.

You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the IP Access List options in Astra DB console Settings. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.

Create a DNS entry for your private endpoint

You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:

  1. Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.

  2. Unzip the secure connect bundle.

  3. In config.json, copy the host key’s value.

  4. In Azure portal, for your private endpoint, create a DNS entry for the key host value and map it to your virtual IP address. Update the domains to use REST and CQL. Examples:

    • REST

    • CQL

    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.apps.astra.datastax.com
    efe451fe-709e-4700-9185-5cf0fd3474a7-2-us-east-1.db.astra.datastax.com

Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.

Remove a private endpoint

In Azure console:

  1. In Azure console Home, navigate to your private endpoint resource.

  2. Click the Delete icon.

In Astra DB console:

  1. Go to the Settings tab for your database.

  2. Choose the endpoint you want to remove.

  3. Click Delete.

What’s next?