Can't connect from azure resource to Azure database for postgres server

Question

I can't connect from azure resource (aks node) to Azure postgres using pgcli. I also tried directly from node and got the same error message:

FATAL: Client from Azure Virtual Networks is not allowed to access the server. Please make sure your Virtual Network is correctly configured.

Firewall rules in the resource are on: Allow access to Azure services: ON

Running the same pgcli login command on my computer and on another azure resource seems to work fine.

Adding Firewall rules to all IPs return the same error.

Curl from the problematic server (host:5432) returns a reply, so it's not an outbound issue.

Answer 1

What does the error mean?

A VM where the connection originates from is deployed to a virtual network subnet where Microsoft.Sql service endpoint is turned on. Per documentation:

If Microsoft.Sql is enabled in a subnet, it indicates that you only want to use VNet rules to connect. Non-VNet firewall rules of resources in that subnet will not work.

For connection to succeed there must be a VNet rule added on PostgreSQL side. At the time the question was asked VNet Service Endpoints for Azure Database for PostgreSQL just got to public preview so I assume it might not have been available for the OP.

Solution

As of November 2020, Service Endpoints for Postgres is GA and instead of disabling the service endpoint one can add a missing VNet rule to the PostgreSQL server instance and reference the service endpoint-enabled subnet. It can be done via Portal or Azure CLI

Answer 2

Apparently, the vm is part of a vnet that a service endpoint tag Microsoft.sql was enabled.

I found this answer. To solve the problem I disabled the service endpoint and added the public IP to the Connection Security section.