Solved: Re: Unable to connect MS Fabric and Azure database...

Kash10 · ‎12-02-2025

Hi All,

I’m having issues establishing connectivity between Microsoft Fabric and Azure Database for PostgreSQL using the Copy Activity.

When I try connecting without an on-prem data gateway, Fabric does not expose any fixed outbound IP that I can whitelist on the PostgreSQL firewall.
When I instead whitelist the IP of the server where the on-prem data gateway is installed, the connection still fails with an error-

Has anyone faced this issue and found a working solution or an alternative configuration that allows Fabric to connect to Azure PostgreSQL?

Kash10 · ‎12-11-2025

Hi All,

Thanks for your support , the issue has now been resolved. With the same tech stack, the on-premises data gateway works as expected.

Below is the additional action required:

Microsoft Fabric currently does not support mutual TLS (mTLS) when connecting to PostgreSQL. It only supports standard TLS with username/password authentication and cannot present the client certificate and key required by our mTLS-enabled PgBouncer endpoint. Due to this limitation, Fabric fails during the handshake phase, resulting in the error observed.

To enable Fabric connectivity while preserving our existing security posture, we will proceed with Alternative 1 from our internal analysis:

✅Planned Approach
We will relax mTLS enforcement only for Fabric by setting up a dedicated PgBouncer listener/pool that:

does not require client certificates,
is accessible from Fabric’s data gateway public IP range, and IP address of on prem data gateway.
retains full mTLS enforcement for all other traffic.This approach allows us to maintain strong security controls while ensuring Fabric can connect successfully.

View solution in original post

v-sgandrathi · ‎12-11-2025

Hi @Kash10,

Thank you so much for the clear update and for taking the time to resolve the issue.
We really appreciate your effort and support throughout the process. Please let us know if you need anything further from our side.

Thank you.

v-sgandrathi · ‎12-10-2025

Hi @Kash10,

we haven't heard back from you regarding our last response and wanted to check if your issue has been resolved.

Should you have any further questions, feel free to reach out.
Thank you for being a part of the Microsoft Fabric Community Forum!

Kash10 · ‎12-11-2025

Hi All,

Thanks for your support , the issue has now been resolved. With the same tech stack, the on-premises data gateway works as expected.

Below is the additional action required:

Microsoft Fabric currently does not support mutual TLS (mTLS) when connecting to PostgreSQL. It only supports standard TLS with username/password authentication and cannot present the client certificate and key required by our mTLS-enabled PgBouncer endpoint. Due to this limitation, Fabric fails during the handshake phase, resulting in the error observed.

To enable Fabric connectivity while preserving our existing security posture, we will proceed with Alternative 1 from our internal analysis:

✅Planned Approach
We will relax mTLS enforcement only for Fabric by setting up a dedicated PgBouncer listener/pool that:

does not require client certificates,
is accessible from Fabric’s data gateway public IP range, and IP address of on prem data gateway.
retains full mTLS enforcement for all other traffic.This approach allows us to maintain strong security controls while ensuring Fabric can connect successfully.

svenchio · ‎12-03-2025

Hi @Kash10 I read thru your message and there're something I would like to clarify that I think will help figuring this issue out 🤞 ... so, let first enumerate the conditions:

#1. You have a PostgreSQL Database hosted in Azure AND you do NOT WANT that server to have Public access that is allowing all IP addresses.

#2. You said 👉"Fabric does not expose any fixed outbound IP that I can whitelist", and that's true because Fabric is a platform with hundreds of VNET's and whitelisting Fabric traffic is not possible.

#3. Then, you created a on-prem data gateway to funnel your traffic via one VM (the gateway) and whitelist your VM IP address on your Azure PostgreSQL, and it did not work.

If all of what I just said is true, some conclusions:

#1. Witelist Fabric traffic is not a solution

#2. You On-prem gateway IS NOT GOING TO WORK, because your PostgreSQL database IS NOT ON PREM... is it in Azure! You're trying to use On-prem gateway as a "workaround" to reach azure, but this is not the suggested approach for your escenario, you need something different: Virtual network data gateway

#3. And from your PostgreSQL, you need to configure a Network with private access (virtual network integration) for Azure Database for PostgreSQL https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking-private ; of course this bring a WHOLE NEW TOPIC, that is Networking in Azure, but this depends a lot of your company confirguration, policies, restrictions, topology, etc. etc. etc. that is out of the scope for this forum (unless specific implementation questions)

The solution to your issue can be summarized as follow:

#1. You are using an incorrect gateway in Fabric

#2. You need to choose, or you allows public access on your postgresql for Fabric to communicate, or you configure Network with private access in PostgreSQL in combination with a Virtual network data gateway in Fabric.

Hope I did capture your scenario 😅 and this information has been useful, i would appreciate a kudos and for to mark this as "solution" of your issue, I know you have lots to do to acctually get this working, but I hope you consider my analysis as the actual solution for this post.... best of lucks.

Zanqueta · ‎12-03-2025

hi @Kash10,

This is a common challenge when connecting Microsoft Fabric Data Pipelines to Azure Database for PostgreSQL, because Fabric currently does not expose fixed outbound IPs for whitelisting. Let me break down why this happens and what you can do:

Possible Solutions / Workarounds

Option 1: Use VNet Integration with Managed Private Endpoints

In Fabric, create a Managed Private Endpoint to your Azure PostgreSQL instance.
This requires:
- Your PostgreSQL server to be in a VNet (via Private Link).
- Fabric workspace to have Managed VNet enabled.
This way, traffic flows through the private network, avoiding firewall IP whitelisting issues.
https://learn.microsoft.com/fabric/data-factory/managed-private-endpoints

Option 2: Use On-Premises Data Gateway (Correct Configuration)

Ensure the gateway is installed on a machine that can reach Azure PostgreSQL.

In the Copy Activity:
- Select Gateway connection explicitly.
- Verify that the gateway is online and mapped to the PostgreSQL connector.
Whitelist the public IP of the gateway machine in the PostgreSQL firewall.
Check that SSL is enabled in the connection string (PostgreSQL requires SSL by default).

If this helps, please give a 👍 and mark as solution. It saves others from chasing dynamic IP ghosts! 🌀

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

Kash10 · ‎12-03-2025

Hi Zanqueta,

Regarding option 2, I have already covered all the steps listed, however as soon as I select the on prem data gateway from the drop down list, I get the error "3 arguments were passed to a function that expects 2"

Zanqueta · ‎12-03-2025

Thanks for you feedback @Kash10,

In your Power BI Desktop it was working? Are you using parameters or get the string directly?

This typically occurs due to the way parameters are passed when selecting the gateway.

Please, look at this when creating the connection in Fabric:

Only specify:
- Server: servername.postgres.database.azure.com
- Database
- Authentication: username@servername and password
Enable SSL, as this is mandatory for Azure PostgreSQL.

If this response was helpful in any way, I’d gladly accept a 👍much like the joy of seeing a DAX measure work first time without needing another FILTER.

Please mark it as the correct solution. It helps other community members find their way faster (and saves them from another endless loop 🌀.

If this response was helpful in any way, I’d gladly accept a kudo.
Please mark it as the correct solution. It helps other community members find their way faster.
Connect with me on LinkedIn

Kash10 · ‎12-03-2025

Hi Zanqueta,

I am trying to connect through data factory, haven't tried through Power BI Desktop as my requirement is more from a data engineering perspective. I have used the connection strings directly as you have mentioned, still it's not connecting.

v-sgandrathi · ‎12-07-2025

Hi @Kash10,

It appears that the main issue is Fabric Data Factory’s inability to connect to Azure PostgreSQL because the connection is routed through the public network, and Fabric doesn’t provide fixed outbound IPs. As a result, whitelisting the gateway machine’s IP isn’t a reliable solution. The recommended approach is to enable Managed VNet in your Fabric workspace and set up a Managed Private Endpoint to your Azure PostgreSQL instance (which should have Private Link enabled). This configuration allows for private network communication, avoiding IP-based firewall issues. If you choose to use the on-premises data gateway, make sure it’s updated, properly mapped to the PostgreSQL connector, and that SSL and the correct credentials (username@servername) are used.

Thank you.