Share via

Configure user defined routes on Azure MySQL / PostgreSQL Flexible server deployed with private access

Cedric Ahlers 115 Reputation points
2026-01-07T17:47:15.6733333+00:00

Hi,

we have a Azure MySQL Flexible Server and Azure PostgreSQL Flexible Server deployed using the private access mode - so the Database Servers are VNet injected into a delegated subnet.

Our Network is using a star topology with a central Azure Hub Network running an Azure Firewall and different Spoke Networks peered to this Hub. To establish transitive routing between the Spoke Networks via the Hub Network the Spokes have user-defined route tables configured to route 0.0.0.0/0 via the Azure Firewall.

Previously the Spokes running the Flexible Servers were not connected to this Hub, but know have to be connected. Unfortunately it's poorly documented which routes have to be present in the route table so the Flexible Servers continue to function normally.

The Azure Postgres Flexible Server Documentation has a side note that VnetLocal and AzureActiveDirectory routes should be present, but I couldn't find any documentation about MySQL Flexible Server or reliable documentation for PostgreSQL Flexible Server that mentions the required routes or if user-defined route tables are supported at all for the private access deployment.

We would like to redirect the default route 0.0.0.0/0 to the Azure Firewall and only route specific service tags directly to the next hop Internet.

Does anyone know wich service tags have to be routed directly to the Internet ?

I would really appreciate if anybody, who possible already set this up, can help me with that.

Azure Database for MySQL
0 comments
Answer accepted by question author
  1. Anonymous
    2026-01-07T18:15:53.0766667+00:00

    Hi @Cedric Ahlers
    It looks like you're trying to configure user-defined routes for your Azure MySQL and PostgreSQL Flexible Servers in a private access deployment. Understandably, getting this routing right can be tricky, especially with your Hub and Spoke network setup.

    Routing Requirements: When using private access for Azure Database services, here are a few points to consider based on the documentation:

    User-Defined Routes: Azure Database for MySQL and PostgreSQL Flexible Servers support user-defined routes, but specific configuration depends on your setup. You mentioned needing reliable documentation; while it's true that the official docs don't extensively cover every detail, a few essential routes are often necessary:

    • Ensure the VNetLocal and AzureActiveDirectory service tags are present in your route tables.
      • Routes must also allow traffic to and from your Flexible Servers and any related resources.
      Service Tags to Route: 
      - For your setup, you should typically allow routes for the service tags related to Azure Database services. Relevant service tags generally include:

      - `Sql` (for Azure SQL services)

            - `AzureDatabase` (which may encompass MySQL and PostgreSQL)

                  - Additionally, the tags you specifically choose to route directly to the Internet will depend on your use case (e.g., if you're using Azure Blob Storage or other endpoints).

                  **Adjust Routing**: Following your star topology, you’d route `0.0.0.0/0` through the Azure Firewall and selectively route the necessary service tags to the Internet, as per your requirement.

                  **Documentation**: For further reference, I’ve included some links below to help you along the way:

    Relevant Documentation:

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.