Create and manage Azure Database for MariaDB VNet service endpoints using Azure CLI
Virtual Network (VNet) services endpoints and rules extend the private address space of a Virtual Network to your Azure Database for MariaDB server. Using convenient Azure Command Line Interface (CLI) commands, you can create, update, delete, list, and show VNet service endpoints and rules to manage your server. For an overview of Azure Database for MariaDB VNet service endpoints, including limitations, see Azure Database for MariaDB Server VNet service endpoints. VNet service endpoints are available in all supported regions for Azure Database for MariaDB.
Use Azure Cloud Shell using the bash environment.
If you prefer, install Azure CLI to run CLI reference commands.
- If you're using a local install, sign in with Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. See Sign in with Azure CLI for additional sign-in options.
- When you're prompted, install Azure CLI extensions on first use. For more information about extensions, see Use extensions with Azure CLI.
- Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
You need an Azure Database for MariaDB server and database.
This article requires version 2.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
Support for VNet service endpoints is only for General Purpose and Memory Optimized servers.
Configure VNet service endpoints
The az network vnet commands are used to configure Virtual Networks.
If you have multiple subscriptions, choose the appropriate subscription in which the resource should be billed. Select the specific subscription ID under your account using az account set command. Substitute the id property from the az login output for your subscription into the subscription id placeholder.
- The account must have the necessary permissions to create a virtual network and service endpoint.
Service endpoints can be configured on virtual networks independently, by a user with write access to the virtual network.
To secure Azure service resources to a VNet, the user must have permission to "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/" for the subnets being added. This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.
VNets and Azure service resources can be in the same or different subscriptions. If the VNet and Azure service resources are in different subscriptions, the resources should be under the same Active Directory (AD) tenant. Ensure that both the subscriptions have the Microsoft.Sql resource provider registered. For more information refer resource-manager-registration
It is highly recommended to read this article about service endpoint configurations and considerations before configuring service endpoints. Virtual Network service endpoint: A Virtual Network service endpoint is a subnet whose property values include one or more formal Azure service type names. VNet services endpoints use the service type name Microsoft.Sql, which refers to the Azure service named SQL Database. This service tag also applies to the Azure SQL Database, Azure Database for MariaDB, PostgreSQL, and MySQL services. It is important to note when applying the Microsoft.Sql service tag to a VNet service endpoint it configures service endpoint traffic for all Azure Database services, including Azure SQL Database, Azure Database for PostgreSQL, Azure Database for MariaDB, and Azure Database for MySQL servers on the subnet.
This sample script is used to create an Azure Database for MariaDB server, create a VNet, VNet service endpoint and secure the server to the subnet with a VNet rule. In this sample script, change the admin username and password. Replace the SubscriptionID used in the
az account set --subscription command with your own subscription identifier.
# To find the name of an Azure region in the CLI run this command: az account list-locations # Substitute <subscription id> with your identifier az account set --subscription <subscription id> # Create a resource group az group create \ --name myresourcegroup \ --location westus # Create a MariaDB server in the resource group # Name of a server maps to DNS name and is thus required to be globally unique in Azure. # Substitute the <server_admin_password> with your own value. az mariadb server create \ --name mydemoserver \ --resource-group myresourcegroup \ --location westus \ --admin-user mylogin \ --admin-password <server_admin_password> \ --sku-name GP_Gen5_2 # Get available service endpoints for Azure region output is JSON # Use the command below to get the list of services supported for endpoints, for an Azure region, say "westus". az network vnet list-endpoint-services \ -l westus # Add Azure SQL service endpoint to a subnet *mySubnet* while creating the virtual network *myVNet* output is JSON az network vnet create \ -g myresourcegroup \ -n myVNet \ --address-prefixes 10.0.0.0/16 \ -l westus # Creates the service endpoint az network vnet subnet create \ -g myresourcegroup \ -n mySubnet \ --vnet-name myVNet \ --address-prefix 10.0.1.0/24 \ --service-endpoints Microsoft.SQL # View service endpoints configured on a subnet az network vnet subnet show \ -g myresourcegroup \ -n mySubnet \ --vnet-name myVNet # Create a VNet rule on the sever to secure it to the subnet Note: resource group (-g) parameter is where the database exists. VNet resource group if different should be specified using subnet id (URI) instead of subnet, VNet pair. az mariadb server vnet-rule create \ -n myRule \ -g myresourcegroup \ -s mydemoserver \ --vnet-name myVNet \ --subnet mySubnet
Clean up deployment
After the script sample has been run, the following command can be used to remove the resource group and all resources associated with it.
az group delete --name myresourcegroup