Security in Azure Database for PostgreSQL - Single Server

APPLIES TO: Azure Database for PostgreSQL - Single Server

Important

Azure Database for PostgreSQL - Single Server is on the retirement path. We strongly recommend that you upgrade to Azure Database for PostgreSQL - Flexible Server. For more information about migrating to Azure Database for PostgreSQL - Flexible Server, see What's happening to Azure Database for PostgreSQL Single Server?.

There are multiple layers of security that are available to protect the data on your Azure Database for PostgreSQL server. This article outlines those security options.

Information protection and encryption

In-transit

Azure Database for PostgreSQL secures your data by encrypting data in-transit with Transport Layer Security. Encryption (SSL/TLS) is enforced by default.

At-rest

The Azure Database for PostgreSQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, including the temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.

Network security

Connections to an Azure Database for PostgreSQL server are first routed through a regional gateway. The gateway has a publicly accessible IP, while the server IP addresses are protected. For more information about the gateway, visit the connectivity architecture article.

A newly created Azure Database for PostgreSQL server has a firewall that blocks all external connections. Though they reach the gateway, they are not allowed to connect to the server.

IP firewall rules

IP firewall rules grant access to servers based on the originating IP address of each request. See the firewall rules overview for more information.

Virtual network firewall rules

Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. Using virtual network rules you can enable your Azure Database for PostgreSQL server to allow connections from selected subnets in a virtual network. For more information, see the virtual network service endpoint overview.

Private IP

Private Link allows you to connect to your Azure Database for PostgreSQL Single server in Azure via a private endpoint. Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). The PaaS resources can be accessed using the private IP address just like any other resource in the VNet. For more information,see the private link overview

Access management

While creating the Azure Database for PostgreSQL server, you provide credentials for an administrator role. This administrator role can be used to create additional PostgreSQL roles.

You can also connect to the server using Microsoft Entra authentication.

Migrating from Oracle

Oracle supports Transparent Data Encryption (TDE) to encrypt table and tablespace data. In Azure for PostgreSQL, the data is automatically encrypted at various layers. See the "At-rest" section in this page and also refer to various Security topics, including customer managed keys. You may also consider using pgcrypto extension which is supported in Azure for PostgreSQL.

Next steps