Secure Azure Database Deployment

Architecture Overview

This project demonstrates secure deployment of PostgreSQL database in Azure using Cosmos DB for PostgreSQL. The architecture follows security and scalability best practices.

Architecture Components

Network Infrastructure

• Virtual Network (VNet): Isolated network environment with CIDR block 10.0.0.0/16
• Database Subnet: Dedicated subnet for database (10.0.1.0/24)
• Private Endpoint Subnet: Subnet for private endpoints (10.0.2.0/24)
• Network Security Groups (NSG): Traffic control at subnet level

Database

• Cosmos DB for PostgreSQL: Fully managed PostgreSQL service
• Private Endpoint: Private connection without internet access
• RBAC: Role-based access control

Security

• Managed Identity: Secure authentication without passwords
• Private DNS Zone: Name resolution for private endpoints
• Key Vault: Storage for secrets and encryption keys

Security Principles

1. Zero Trust: All connections are verified and authorized
2. Defense in Depth: Multi-layered protection
3. Least Privilege: Minimum necessary access rights
4. Network Segmentation: Component isolation

Project Structure

├── README.md                 # Project documentation
├── main.tf                   # Main Terraform configuration
├── variables.tf              # Variables
├── outputs.tf                # Output values
├── terraform.tfvars.example  # Variable examples
├── versions.tf               # Provider versions
├── modules/                  # Terraform modules
│   ├── networking/
│   ├── database/
│   └── security/
└── .github/workflows/        # CI/CD pipelines

Requirements

• Terraform >= 1.5.0
• Azure CLI >= 2.40.0
• Active Azure subscription
• Permissions to create Azure resources

Deployment

1. Preparation

# Clone repository
git clone <repository-url>
cd AzureProblem

# Azure authentication
az login

# Terraform initialization
terraform init

2. Configuration

# Copy variable examples
cp terraform.tfvars.example terraform.tfvars

# Edit variables according to your requirements
nano terraform.tfvars

3. Planning and Deployment

# Check deployment plan
terraform plan

# Apply configuration
terraform apply

Database Connection

After deployment, the database is accessible only through private network:

1. From virtual machine in the same VNet
2. Through VPN Gateway for connection from on-premises network
3. Through Azure Bastion for secure administrative access

Connection Example

# Connection via psql
psql "host=<private-endpoint-fqdn> port=5432 dbname=postgres user=<username>"

Automation

The project includes GitHub Actions workflow for:

• Terraform code validation
• Linting and formatting
• Automated testing
• Secure deployment

Monitoring and Maintenance

• Azure Monitor for performance monitoring
• Log Analytics for centralized logging
• Azure Security Center for security tracking
• Automatic backups

Compliance

The architecture complies with:

• Azure Well-Architected Framework
• GDPR data protection requirements
• SOC 2 security standards
• PCI DSS for payment data processing

Support

For questions and issues, create an issue in the repository or contact the Platform team.