To better protect your database connection, you can connect to a private endpoint using the Astra DB console.
For details about using API calls instead, see Connect to Azure Private Link with the DevOps API.
This information applies to only serverless databases.
For pricing related to using private endpoints, see Pricing and billing.
The following roles can manage private endpoints:
Organization Administrator
Database Administrator
Alternatively, you can use a custom role with permissions to manage private endpoints.
For more about Azure Private Endpoints, see link:https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview[What is Azure Private Endpoint?, window="_blank"].
- Access to your existing Azure subscription and account.
- Create your Astra DB database using the Astra DB console.
- Ensure you have permission to manage private endpoints.
To increase your security, restrict public access to your database using the access list.
Setting up the connection between Azure portal and Astra DB private endpoints involves a few steps in both venues.
Let’s start in Astra DB console
- On your organization's Astra DB dashboard, click the link for your active, Azure-based database.
- Navigate to your database's *Settings* tab, and notice the *Private Endpoints* section. At this point, no endpoints have been linked. Example:
- Click *Configure Region* and enter your Azure account's Subscription ID. You can get the Subscription ID from your account in the Azure console. In your account on link:ttps://portal.azure.com/#home[the Azure console Home page], under Azure Services, click the *Subscriptions* icon. Copy the displayed Subscription ID.
- After entering the Azure Subscription ID, click *Configure Region*.
- Astra DB console displays an updated Private Endpoints section, including a generated *Service Name*.
- Click *Add Endpoint*.
- On *Add Private Endpoint*, copy the generated *Service Name*.
Notice at this point in the example, we have a generated Service Name, but do not yet have an ID from Azure's private endpoint to paste into the *Endpoint ID* field:
image:astra-db-add-private-endpoint-no-endpoint-id-yet.png[Astra DB Add Private Endpoint form with no Endpoint ID yet]
In Astra DB console, keep the *Add Private Endpoint* dialog open. We'll return here with an *Endpoint ID* after creating it in Azure console.
Switch over to Azure portal
- After authenticating into Azure portal, navigate to *Create a resource*.
- Navigate to *Private Endpoint*.
- Click *Create*.
- On *Basics*:
- On *Resource*:
- On *Configuration*:
- On *Tags*, optionally enter name/value pairs to categorize resources and subsequently view consolidate billing. Example:
- On *Review and create*, check the settings you've entered. Example:
- Once validated, Azure console displays a summary page for the added private endpoint. *Copy* the generated endpoint's *Resource ID*, which you'll later paste into the Add Private Endpoint dialog in Astra DB console. To get the Resource ID:
Return to Astra DB console
Back in Astra DB console, return to the *Add Private Endpoint* dialog that's available from your databases's Settings.
- In the Endpoint ID form field, paste in the copied *Resource ID* value. Also enter a brief description for your Astra DB / Azure endpoint.
- Click *Add Endpoint*.
Your private endpoint is defined. However, notice the warning message if you have not taken further action in your Astra DB Settings.
You’ve set up a private endpoint for this database, but access to your database is still open to the public. Learn how to Manage access lists for public access by using the *IP Access List options in Astra DB console Settings*. You can enable the Restrict public access toggle, and you can manage endpoints with one or more access lists.
You can alias your private endpoint with a DNS record to use as your hostname in the Astra DB secure connect bundle. Here are the steps:
- Download your secure connect bundle for the region of your choice. Get your latest secure connect bundle.
- Unzip the secure connect bundle.
- In config.json , copy the host key's value.
- In Azure portal, for your private endpoint, create a DNS entry for the key host value and map it to your virtual IP address. Update the domains to use REST and CQL. Examples:
Once those steps are completed, you can connect to your private endpoint using your updated secure connect bundle. For more, see Drivers for Astra DB.
In Azure console:
- In Azure console Home, navigate to your private endpoint resource.
- Click the *Delete* icon.
In Astra DB console:
- Go to the *Settings* tab for your database.
- Choose the endpoint you want to remove.
- Click *Delete*.
What’s next?
- Refer to related topics for other cloud providers that are linked from Connect via a private endpoint.
- Learn how to Manage access lists for public access.
- For more about Azure Private Endpoints, see link:https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview[What is Azure Private Endpoint?].