Azure Guide

This guide covers using Isolate with Microsoft Azure, including Azure Database for PostgreSQL Flexible Server provisioning, AKS cluster access, and Azure Bastion connectivity patterns.

Overview

Isolate's Azure integration provides the following capabilities:

  • Azure Database for PostgreSQL Flexible Server: Provision temporary database instances from production backups
  • AKS Cluster Access: Connect to Kubernetes clusters through audited proxy tunnels
  • Azure Bastion Tunneling: Secure connectivity without exposing public IPs
  • Multi-Subscription Federation: Discover and manage resources across Azure subscriptions
  • Entra ID Integration: Single sign-on authentication with Microsoft 365

Azure Database for PostgreSQL

Flexible Server Provisioning

Isolate provisions PostgreSQL Flexible Server instances on-demand using Azure's managed database service. Key characteristics:

  • Performance Tiers: Burstable (B1ms - 1 vCPU, 2GB), General Purpose (D2s - 2 vCPU, 8GB), Memory Optimized (E2s - 2 vCPU, 16GB)
  • Provisioning Time: Typically 5-10 minutes (slower than GCP CloudSQL)
  • Private Network: Instances are deployed in VNet with private IPs only
  • Backup Source: Restored from Azure Blob Storage backups via psql

Automatic Backups

Azure Database for PostgreSQL Flexible Server includes automatic backup capabilities:

  • Built-in Backups: Azure automatically creates daily backups with point-in-time recovery
  • Retention: Configurable from 7 to 35 days
  • Geo-redundancy: Optional cross-region backup replication

Note: Azure does not support on-demand snapshots via API like GCP. Isolate relies on the source backup data from blob storage for restoration.

Limitations

  • No API SQL Import: Unlike GCP's gcloud sql import sql, Azure requires manual restoration using psql or Azure Container Instances
  • Slower Provisioning: Flexible Server creation takes longer than GCP CloudSQL instances
  • No Point-in-Time Clone: Must restore from complete backup files rather than database-level snapshots

AKS Cluster Access

Kubernetes Proxy Architecture

AKS cluster access follows the same proxy pattern as GCP GKE, but uses Azure Bastion for tunneling:

CLI (kubectl) -> Azure Bastion Tunnel -> k8sproxy -> AKS API Server
                      (localhost:6443)     (VM:6443)    (private IP)

Connection Process

  1. Discover Clusters: isolate clusters list shows AKS clusters discovered by federation agents
  2. Connect: isolate k8s connect <cluster-name> sets up the proxy tunnel
  3. Use kubectl: Standard Kubernetes commands work through the audited proxy
  4. Session Recording: Interactive sessions (kubectl exec) are recorded as asciicasts

Connectivity

Azure Bastion Tunneling

Azure Bastion replaces GCP IAP tunneling for secure proxy access:

# Database connection (automatic with isolate CLI)
isolate connect <instance-id>

# Manual Bastion tunnel setup
az network bastion tunnel \
  --name isolate-bastion \
  --resource-group rg-isolate \
  --target-resource-id <proxy-vm-id> \
  --resource-port 5432 \
  --port 15432

Direct psql Connection

For advanced users who need manual connection control:

# Get connection details
isolate info <instance-id>

# Create Bastion tunnel (in separate terminal)
az network bastion tunnel --name isolate-bastion \
  --resource-group rg-isolate \
  --target-resource-id <vm-id> \
  --resource-port 5432 --port 15432

# Connect with token authentication
TOKEN=$(isolate token <instance-id>)
psql "host=localhost port=15432 dbname=mydb user=$TOKEN"

Configuration

Required Azure Environment Variables

For Azure deployments, configure these environment variables:

Variable Description Example
AZURE_SUBSCRIPTION_ID Azure subscription identifier 12345678-1234-...
AZURE_RESOURCE_GROUP Resource group for deployments rg-isolate
AZURE_LOCATION Azure region eastus2
CLOUD_PROVIDER Set to 'azure' for Azure mode azure

Authentication Setup

Azure deployments can use either Entra ID or AuthKit for authentication:

  • Entra ID: Integration with Microsoft 365 single sign-on
  • AuthKit: Standalone authentication service
  • Hybrid Mode: Support for both authentication methods

Troubleshooting

Common Azure-Specific Issues

PostgreSQL Flexible Server Provisioning Slow

# Check provisioning status
az postgres flexible-server show \
  --name <server-name> \
  --resource-group rg-isolate \
  --query state

# Common fix: Verify subnet delegation
az network vnet subnet update \
  --name postgres \
  --vnet-name isolate-vnet \
  --resource-group rg-isolate \
  --delegations Microsoft.DBforPostgreSQL/flexibleServers

Azure Bastion Connection Failures

# Check Bastion status
az network bastion show \
  --name isolate-bastion \
  --resource-group rg-isolate

# Verify VM accessibility
az vm get-instance-view \
  --name isolate-proxy \
  --resource-group rg-isolate \
  --query instanceView.statuses

Entra ID Authentication Issues

# Check current Azure login status
az account show

# Re-authenticate if needed
az login

# Verify Entra ID app registration
az ad app show --id <app-id> \
  --query "web.redirectUris"

RBAC and Managed Identity

Azure deployments rely heavily on RBAC and Managed Identity for secure access:

  • VM Managed Identity: Proxy VM uses managed identity for Azure resource access
  • RBAC Roles: Precise role assignments for database, storage, and AKS access
  • Network Security Groups: Layer 4 firewall rules controlling traffic flow

Networking Troubleshooting

# Check NSG rules
az network nsg show --name nsg-proxy \
  --resource-group rg-isolate

# Test connectivity from proxy to PostgreSQL
az network bastion ssh --name isolate-bastion \
  --resource-group rg-isolate \
  --target-resource-id <vm-id> \
  -- "telnet <pg-private-ip> 5432"

# Verify private endpoint configuration
az network private-endpoint show \
  --name pe-postgres \
  --resource-group rg-isolate

Pro Tip: Azure Bastion tunnels have a 60-minute idle timeout. For long-running queries, consider using screen or tmux sessions, or periodically run lightweight queries to keep the connection active.