Deploy Azure MySQL Flexible Server using Private End-Points (Manual)

In this manual I am going to show you how to deploy Azure MySQL Flexible Server with data encryption enabled using a Service Managed Keys (SMK) for data at rest encryption.

image 55

What is Azure MySQL Flexible Server?

Azure Database for MySQL Flexible Server is a fully managed Azure database service designed for more granular control and flexibility over database management functions and configuration settings. With Flexible server the you get the option to decide which availability options you want to use. Is it a single server, redundant setup or even Zone redundant setup? This includes Geo Redundant Backup storage. Last but not least we can setup replication to a Flexible server in a different Geo location.

One of the main advantages of a managed service is that Microsoft Performs automated patching of the underlying hardware, OS and database engine making your server secure and up to date.

Currently MySQL Flexible server support MySQL 5.7 and 8.0. With an end of Life of October 21 – 2023, I recommend not to use version 5.7 anymore unless you temporary need it for migration purposes.

STEP 1: Create managed identity

First step we need to take is to create a managed Identity. This identity will be used by the MySQL Flexible server for authentication to the KeyVault, which is used to encrypt the data at rest.

Go to Managed Identities and click Create

image 54

Give your managed Identity a name and continue with the creation of the identity.

image 53

STEP 2: Create Key vault Datacenter 1 (West Europe)

For this manual I will use the West Europe and North Europe Datacenters. These key vaults will be accessed by the Managed Identity. Important for the use of data at rest is to Enable purge protection. If you do not enable this option, deployment of the Azure MySQL Flexible server will fail.

image 29

On the next page make sure to select Vault access policy. At this time of writing Azure Role-based access control results in an error that the key vault cannot be found when you deploy Azure MySQL Flexible server. Now click on the Create button to grant the Managed Identity the required permissions.

image 56

To be able to read the encryption key make sure to select the following permissions:

  • Get
  • Wrap key
  • Unwrap key
image 32

As for the principal select the just created managed Identity. In our case: MI-SRV-MYSQL-P01

image 33

When complete permissions should look like this. Make sure to grant your own account all permissions to be able to setup the key.

image 34

On the Networking page we are going to limit the access to the key vault. I would prefer using a Private End Point, but the Microsoft Documentation requires the use of Public Access from selected networks only and trusted Microsoft Services. Make sure to check the box Allow trusted Microsoft services to bypass this firewall

image 35

When ready, review your setup and create the key vault.

image 36

STEP 3: Create Key vault Datacenter 2 (North Europe)

Create the key vault in North Europe with the same parameters as specified in step 2

image 37

Step 4: Deploy Azure MySQL flexible server

Now we are going to deploy the MySQL Flexible server. Go to Azure Database for MySQL flexible servers. Click on the Create button.

image 38

Now give your server your desired name without special characters (Those are not supported). Select a region, MySQL version. Choose a workload and click on Configure Server.

image 50

On this page you can choose your compute tier. Burstable tier is for flexible workloads, general and business critical workloads are for production workloads. If you want to use Read Replica’s you can only choose for General Purpose and Business critical compute tier.

Additional IOPS

You can scale your IOPS to optimize the performance of an IO intensive operation. You will be provisioned 1000 free IOPS per server and charged based on the additional IOPS used rounded up to the nearest minute.


Paid IO

Azure Database for MySQL will automatically scale your IOPS depending on the workload without the need for you to manually pre-provision IOPS. This is a cost-effective IO model which charges only for what the workload consumes.

Paid IO Locally redundant storage (LRS)€0.190 Per 1 million requests
Paid IO Zone redundant storage (ZRS)€0.237 Per 1 million requests

Select your desired backup retention policy and click save.

image 40

Now select an availability zone. If you want to use this machine for Production purposes make sure to select Enable High availability. For creating this manual I choose not to enable high availability. This setting can NOT be changed after the creation of the server, choose wisely :). Last option on this page, select your Authentication method.

image 41

On the network tab select Public access and Private endpoint for the connectivity method. Scroll down to Private EndPoint

image 42

Click on Add private endpoint. On the new blade give the Private Endpoint a name, select the desired Virtual Network and Subnet and if you want to integrate with a private DNS zone. Click on Save and Next

image 51

On the Security tab we are going to configure data encryption. First click on Change identity to select the created identity from Step 1. If you selected Geo Replication you will need to do this twice.

image 44

Select the Managed Identity

image 46

Now we are going to select a key. Again, you will need to do this twice if Geo replication has been selected.

image 45

Now select the key vault for the desired region that we’ve created in step 2. And click on Create new key

image 47

Now give the key a name. As key type make sure to select RSA. EC is not supported. For the RSA key size 2048, 3072 and 4096 is supported. Make sure to set the status to Enabled and click Create

image 48

Once created, the blade will close and you will have to reselect the key again.

image 45

Now select the just created key with a version and click Save

image 49

When completed, your overview should look like this:

image 52

Now go over the last to tabs and click create. The deployment takes approximately 10-15 minutes.

Troubleshooting / common errors

If you get the following error: Could not find Azure Key Vault Key with key name xxxxx. It means that the Managed Identity does not have the correct permissions. Also make sure that the Key Vault uses Vault Access policies instead of Role Based Access.

image 31

If you get the error: The provided Key Vault uri xxxxx is not valid. Please ensure the key vault has been configured with soft-delete and purge protection.

Go to your key vault and go to properties and select Enable purge protection at the bottom of the page.

image 30

More information:

Add a Comment

Your email address will not be published. Required fields are marked *