Azure VPC peering

This information applies to only classic databases.

By creating a virtual private cloud (VPC), you can connect your Azure resources and DataStax Astra DB databases. VPC peering allows you to communicate across the VPCs.

For more about VPC peering on Astra DB databases hosted on Azure, see Virtual network peering.

VPC peering is available on only Classic C- and D-tier Astra DB databases.

Prerequisites

Procedure

Azure command line interface

To establish a peering connection for Azure and grant an Enterprise Application managed by Astra DB access to a peering connection, run these commands using the Azure command line interface.

  1. Create a Service Principal in your Azure subscription for an existing Astra DB-managed Enterprise Application:

    - az ad sp create --id 6f77e2ba-39c1-499f-93e1-afe815384a8f

    The client to create connections is always 6f77e2ba-39c1-499f-93e1-afe815384a8f.

  2. Create a role.json file that defines the necessary permissions that Service Principal will need to:

    • Create a peering connection.

    • Get the status of that connection.

    • Delete the connection.

      {
          "Name": “<ROLE_NAME>“,
          "IsCustom": true,
          "Description": “<ROLE_DESCRIPTION>“,
          "Actions": [
              "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
              "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
              "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
              "Microsoft.Network/virtualNetworks/peer/action"
          ],
          "AssignableScopes": [
              "/subscriptions/<YOUR_SUBSCRIPTION>/resourceGroups/<YOUR_RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<YOUR_VIRTUAL_NETWORK>"
          ]
      }

      Set the following variables in the role.json file:

    • <ROLE_NAME>: The name of the role defined in role.json. The role’s name can be anything, but whatever must match the <ROLE_NAME> when assigning the role with the az command.

    • <ROLE_DESCRIPTION>: The description of the role defined in role.json. The description can also be anything. Astra DB doesn’t use this description.

    • <YOUR_SUBSCRIPTION>: The Azure subscription to which you will peer the Astra DB cluster.

    • <YOUR_RESOURCE_GROUP>: The Resource Group to which you will peer the Astra DB cluster.

    • <YOUR_VIRTUAL_NETWORK>: The Virtual Network to which you will peer the Astra DB cluster.

  1. Using the definitions defined in the role.json file create a new role in your subscription:

    - az role definition create --role-definition role.json
  2. Assign the role you created to the service principal created to your virtual network’s scope:

- az role assignment create --role “<ROLE_NAME>” --assignee 6f77e2ba-39c1-499f-93e1-afe815384a8f --scope "/subscriptions/<YOUR_SUBSCRIPTION>/resourceGroups/<YOUR_RESOURCE_GROUP>/providers/Microsoft.Network/virtualNetworks/<YOUR_VIRTUAL_NETWORK>"

Astra DB Console

  1. From your database Overview, select Add Peering Connection.

  2. In Add Peering Connection, enter the tenant your subscription belongs to for the Azure Tenant ID.

  3. For the Azure Subscription ID, enter <YOUR_SUBSCRIPTION> that matches the variable in the role.json file.

  4. For the Azure Resource Group Name, enter <YOUR_RESOURCE_GROUP> that matches the variable in the role.json file.

  5. For the Azure Virtual Network Name, enter <YOUR_VIRTUAL_NETWORK> that matches the variable in the role.json file.

  6. Select Initiate. After you initiate peering, you will see a link to Download secure connect bundle for internal VPC network.

  7. Download this internal secure connect bundle to connect to the Astra DB database to ensure the connection gets routed through private IP addresses and not the open internet.

The internal secure connect bundle ensures the connection to the Astra DB database is routed through private IP addresses and not the open internet. Using the internal secure connect bundle is the same as using the external secure connect bundle when trying to connect to the database.

If you see Conflict Error: RemotePeeringIsDisconnected as the status for your peering connection, there is a previous Astra DB peering connection in your Azure virtual network that is in a Disconnected state. Remove this peering connection so Astra DB can initiate a successful peering request. To resolve the issue, follow these steps:

  1. Delete the disconnected peering from your Azure virtual network

  2. Delete the peering from your Astra DB database

  3. Create a new peering as described in this document