Microsoft released for preview a series of new features for Azure Database for PostgreSQL Flexible Server at Ignite 2022, their annual conference. The new features include encryption of data at rest with customer-managed keys, database authentication with Azure Active Directory, geo-redundant backups and fast restores of data, and a migration tool for moving workloads from the product’s older Single Server deployment option to the newer Flexible Server deployment option.
Azure Database for PostgreSQL is a fully-managed database-as-a-service that enables customers to run PostgreSQL workloads on the Microsoft Azure platform. Launched in 2017 with the Single Server deployment option, which executes the database engine on a proprietary windows container, the service was enhanced by 2020 to include the Flexible Server option, which runs the engine in a container on a Linux virtual machine instead. While both deployment options use Azure Storage for their data files, the Flexible Server option provides additional configuration for optimizations of database performance, security, and cost.
Customer-managed keys on Azure Database for PostgreSQL Flexible Server allow for comprehensive control of access to stored data. By leveraging the capabilities of the Azure Key Vault service, customers can use key-encryption keys (KEKs) to encrypt the data-encryption keys (DEKs) used by Azure Storage for the PostgreSQL server’s data files. Segregation-of-duties compliant access to the keys and data can then be set up by configuring the required policies and roles administered against Azure Active Directory (Azure AD) as illustrated in the diagram below:
Source: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-data-encryption
Database authentication with Azure AD on Azure Database for PostgreSQL Flexible Server allows management of access to the database at the application layer using the centralized identity and access management provided by Azure AD for a given Azure subscription. To access the server, principals would then need to request an access token from Azure AD and connect to the server while presenting the issued credentials. At a high level, this is shown by the diagram below:
Source: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-azure-ad-authentication
To provide better resiliency of a Flexible Server database, users can enable geography-redundant storage. This update increases the availability of stored data from 12 nines (99.9999999999%) to 16 nines (99,99999999999999%) and is built on the Geo-redundant storage functionality provided within Azure Storage and so replicates data asynchronously to a single physical location in a secondary region.
Finally, to assist customers seeking to migrate workloads from a Single Server to a Flexible Server, the Azure team has released a tool in public preview. The tool automates the creation of the Flexible Server infrastructure and enables the prerequisite networking requirements for the data flows. The tool can migrate up to eight databases at a time and has support for two modes of migration: online, with reduced downtime, and offline, with extended downtime.