This message was deleted.

Have you tried creating a private endpoint for your postgres server in the vnet(s) for synapse and data factory? It's likely that your connection string resolves to a public address so you're trying to reach out via the public web. A private endpoint is kind of an abstraction of a network route and private DNS entry. They're kind of awful, imo, but there's little doubt in my mind that they're the happiest path here.

ah, this makes more sense. If you have any example or documentation to point to, that'd would be great. indeed it is, the DNS entry is on the public DNS (which is even more weird).

You need to use Azure private DNS zone mapping to your PE private IP

Microsoft has a quick start guide which is a great place to start. https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-terraform?tabs=azure-cli There are a couple considerations that you need to think about... like how you want your network laid out. Do you want all your vnets sharing the same private dns zones (this is DEFINITELY the easiest)? Do you want a zone per vnet? etc. For example, I have a hub and spoke network where each of my spokes have a private zone. But, I use terraform agents on my hub network to do work in my spokes so I create 2 private endpoints per resource. One in the spoke private DNS and one in the hub private dns. Another consideration is the fact that in Azure the api is often split up in two levels. 1. the management control plane 2. the data control plane Private endpoints do not effect the first, but do effect the second. Therefore, TF can often create a resource that has a private endpoint, but not be able to access it if the private endpoint isn't setup correctly. Furthermore, because TF often has to get a resource's state before changing it (like in a destroy), TF often becomes unable to modify or destroy a resource with a failed or non-existing endpoint.

thanks both of you! nice homework resources 🙂

If you use Terraform Cloud with TF agents running on your private VNETs you can provision anywhere, just make sure your DNS setup can resolve correctly across the board when using public DNS and private DNS zones