Azure PostgreSQL Database
Additional steps for Azure PostgreSQL discovery
Early Access: Please contact the Veza support team to enable Azure PostgreSQL for your platform.
Overview
The Azure integration includes built-in support for PostgreSQL on Azure Database. After enabling the feature, you can use search, insights, and workflows to:
Find principles with permissions on PostgreSQL Servers, Databases, Tables, and Schemas.
Identify principles with privileged permissions (such as
Delete
) on PostgreSQL entities
This document provides steps to create the required database user, and configure the integration. See notes and supported entities for more details.
Configuring Azure Database for PostgreSQL
To enable the connection between Veza and Azure PostgreSQL, you will need to:
Deploy an Insight Point in the same virtual network as the databases to discover, or a peered virtual network.
Using an Insight Point is recommended when connecting to production environments. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.
Create local PostgreSQL user(s) Veza can use to log in.
Enable PostgreSQL discovery by creating an Azure integration or editing an existing configuration.
Create a PostgreSQL user for Veza
For each server you want to discover, create a local user with read-only permissions on the required system tables. All Veza PostgreSQL users for different servers within a single Azure tenant must share the same username and password.
Log in as an administrator using your client of choice, and create a user with the required permissions. Replace [db_user]
with the desired username:
Explicitly granting the pg_catalog
permissions is required for Single server deployments. When configuring the user for Azure Flexible Servers, new users will already have access to pg_catalog
tables, and a no privileges were granted
warning will appear.
You will enter the local username and password when configuring the Azure integration on the Veza platform.
Troubleshooting
To verify that new user can read the required tables, you can log in as the new user ( \c postgres [db_user]
in psql) and run the following script:
See How to create database users in Azure Database for PostgreSQL for more details.
Enable PostgreSQL for the Azure integration
Log in to Veza as an administrator to finish configuring the integration. You can enable PostgreSQL for an existing integration, or when creating one.
In Veza, open the Integrations page..
To add an integration, Click Add Integration > Azure and complete the steps to configure Microsoft Azure.
To modify an existing integration, find the provider on the main list and click Edit.
From the Insight Point dropdown, pick the one you created for connecting to the PostgreSQL server.
Optionally, enter a comma-separated list of databases and schema to allow or deny. If the allow list is populated, only those resources are discovered. If the deny list is populated, the specified resources are skipped.
Notes and Supported Entities
The integration supports flexible server and single server deployments. Azure Arc enabled PostgreSQL is not supported.
Veza discovers the following PostgreSQL entities and attributes:
PostgreSQL User
An individual account or identity, assigned specific permissions to control access to databases, schemas, tables, and other database objects.
ID
Provider ID
Datasource ID
Is Super User
Can Create DB
Can Initiate Streaming Replication
Can Bypass All Row Level Security
External Account Type
PostgreSQL Database
A logical container within an Azure PostgreSQL service instance that stores data, organized into tables. Several databases can exist within a single PostgreSQL instance, each serving a distinct purpose or application.
Name
ID
Provider ID
Datasource ID
Owner
Server ID
PostgreSQL Group
Represents a logical grouping of database users or roles. Groups manage access control and permissions by assigning specific privileges to several users with common roles.
Name
ID
Provider ID
Datasource ID
PostgreSQL Instance
A PostgreSQL instance in Azure represents a dedicated, managed PostgreSQL database server hosted on Azure infrastructure. Each instance has its own connection endpoint, configurations, and access controls.
Name
ID
Provider ID
Datasource ID
Server ID
Azure Tenant ID
PostgreSQL Schema
A container within a PostgreSQL database that helps organize database objects, such as tables and views. Schemas logically group and manage database objects, making it easier to maintain and navigate a complex database structure.
Name
ID
Provider ID
Datasource ID
Owner
PostgreSQL Table
A fundamental database object that stores structured data in rows and columns, allowing for efficient querying and manipulation of data.
Name
ID
Provider ID
Datasource ID
Owner
PostgreSQL Permissions
Veza creates additional entities to represent capabilities users can have on PostgreSQL resources:
PostgreSQL Privilege: Configured permissions, shown in System query mode.
PostgreSQL Effective Permission: Effective permissions, shown in Effective query mode.
Last updated