Connect to Azure Private Link with the DevOps API

To better protect your database connection, you can connect to a private endpoint using the Astra DB private endpoint.

This information applies to only serverless databases.

For pricing related to using private endpoints, see Pricing and billing.

The following roles can manage private endpoints:

  • Organization Administrator

  • Database Administrator

Alternatively, you can use a custom role with permissions to manage private endpoints.

Prerequisites

  1. Create your Azure private endpoint.

  2. Disable network policies.

  3. Ensure you have permission to manage private endpoints.

To increase your security, consider restricting public access to your database using the access list.

  1. Get the allowed principal from your Azure account. This is your Subscription ID.

  2. Enter your Subscription ID as the allowed principal for your private endpoints to Astra DB:

    • cURL command (/v2)

    • Result

    curl --request POST \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/private-link' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>' \
      --data '{
          "allowedPrincipals": [
            "9cbbd094-fa31-490f-863d-897d01661681"
          ]
        }'

    To confirm your datacenter ID, see your database Dashboard or use the DevOps API to get all datacenter IDs within your database.

    {
      "serviceName": "test.a51y2a51-f9j4-4ad2-l863-67e5ac6g10m.westus2.azure.privatelinkservice",
      "allowedPrincipals": [
        "9cbbd094-fa31-490f-863d-897d01661681"
      ]
    }
  3. In your Azure Private endpoints, select Add.

    1. Select your Subscription and then your Resource group for your project.

    2. Enter your private endpoint name.

    3. Select the region for your private endpoint. This region should match your Astra DB region.

    4. Select Next: Resource.

    5. Select Connect to an Azure resource by resource ID or alias as your Connection method.

    6. Enter your serviceName as your Resource ID or alias.

    7. Select Next: Configuration.

    8. Select your Virtual network and Subnet from the menus.

    9. Select Review + create and then select Create to finish creating your private endpoint.

  4. Connect your Azure private endpoint connection:

    Your endpointId is the Resource ID for your private link endpoint, which is available in your Azure console by selecting JSON View for your private link endpoint. For example, /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.Network/privateEndpoints/$ENDPOINT_NAME.

    • cURL command (/v2)

    • Result

    curl --request POST \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>' \
      --data '{
          "endpointID": "/subscriptions/a51y2a51-f9j4-4ad2-l863-67e5ac6g10m/resourceGroups/lab-resourceGroups/providers/Microsoft.Network/privateEndpoints/dev-poc",
          "description": "project-desc-dev-app"
        }'
    {
      "datacenters": [
        {
          "serviceName": "test.a51y2a51-f9j4-4ad2-l863-67e5ac6g10m.westus2.azure.privatelinkservice",
          "allowedPrincipals": [
            "9cbbd094-fa31-490f-863d-897d01661681"
          ],
          "datacenterID": "string",
          "endpoints": [
            {
              "endpointID": "/subscriptions/a51y2a51-f9j4-4ad2-l863-67e5ac6g10m/resourceGroups/lab-resourceGroups/providers/Microsoft.Network/privateEndpoints/dev-poc",
              "description": "project-desc-dev-app",
              "status": "Accepted",
              "createdDateTime": "2021-04-10T23:00:00"
            }
          ]
        }
      ]
    }
  5. Create a DNS entry for your private endpoint. For more, see What is Azure Private DNS?

Your Azure portal will show that it is in the approved state.

Remove a private endpoint

  1. Delete a private endpoint from your Astra DB:

    • cURL command (/v2)

    curl --request DELETE \
      --url 'https://api.astra.datastax.com/v2/organizations/clusters/<databaseID>/datacenters/<datacenterID>/endpoints/<endpointID>' \
      --header 'Accept: application/json' \
      --header 'Authorization: Bearer <application_token>'
  2. Remove your connection from your Azure portal:

    • Azure console

    • CLI

    1. In the Azure VPC console, select Private Link Center > Private endpoints.

    2. Select the checkbox beside the private endpoint you want to remove.

    3. Select Remove.

    Remove-AzPrivateEndpointConnection -Name myPrivateEndpointConnection1 -ResourceGroupName myResourceGroup -ServiceName myPrivateLinkServiceName