Skip to main content

Documentation Index

Fetch the complete documentation index at: https://astronomer-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

This connection option is only available for dedicated Astro clusters.
To set up a private connection between an Astro Virtual Network (VNet) and an Azure VNet, you can create a VNet peering connection. VNet peering ensures private and secure connectivity, reduces network transit costs, and simplifies network layouts.
  1. Retrieve the following information from the target Azure environment that you want to connect with:
    • Azure Tenant ID and Subscription ID.
    • VNet name.
    • Resource Group name.
  2. Prepare the astro-vnet-peering-creator-role.json JSON file with the following permissions. Replace {customer-subscription-id} with your value: 
    {
    "Name": "Astro VNET Peering Contributor",
    "IsCustom": true,
    "Description": "Can create VNET peering with Astro.",
    "Actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/peer/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
    ],
    "NotActions": [

    ],
    "AssignableScopes": [
      "/subscriptions/{customer-subscription-id}"
    ]
}
  3. Run the following Azure CLI commands to give Astronomer support temporary permissions to establish a VNet peering connection: 
    # Add Astronomer Service Principal
az ad sp create --id a67e6057-7138-4f78-bbaf-fd9db7b8aab0

# Create a Custom role with permissions prepared in previous step
az role definition create --role-definition ~/astro-vnet-peering-creator-role.json

# Assign Custom role to the Astronomer Service Principal ({customer-subscription-id} has to be replaced with your value)
az role assignment create \
--assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 \
--role "Astro VNET Peering Contributor" \
--scope "/subscriptions/{customer-subscription-id}"

# Verify an assignment
az role assignment list --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --all -o table
  4. Contact Astronomer support to tell them that you granted permissions to the Astronomer Service Principal. In addition, provide the following details in your request:
    • Astro Cluster ID
    • Azure Tenant ID and Subscription ID of the target VNet
    • Resource group name
    • VNet Name and preferred name for peering
After receiving your request, Astronomer support creates a VNet peering connection between the two VNets. No other actions are required from you. Astronomer support will notify you when the connection is ready to use. When the network connection is confirmed, you can delete the temporary roles you created using the following command. Replace {customer-subscription-id} with your value: 
az role assignment delete --assignee a67e6057-7138-4f78-bbaf-fd9db7b8aab0 --role "Astro VNET Peering Contributor" --scope "/subscriptions/{customer-subscription-id}"