Share via

App service cannot connect to postgresql

ahd 270 Reputation points
2026-03-31T20:16:52.93+00:00

I have deployed a web app running ( next.js + payload + cms). A postgresql database which is placed inside a VNet and no public access. The secrets are stored in key vault and app service managed identity has permissions to read secrets from key vault. Docker images are stored in acr.

We want to perform db migration after the deployment in the pipeline as db is private resource the migration is handled through app service. When I print the kv secrets app service knows about the secrets but when it is trying to authenticate to db it cannot. I made sure the password is properly set. To keep it simple it the password doesn't any special chars (only numbers and letters) for initial testing.

Do we need any additional settings required ?

User's image

Azure Database for PostgreSQL
Answer accepted by question author
  1. Achraf Ben Alaya 1,396 Reputation points MVP
    2026-03-31T21:25:59.76+00:00

    Hi ,

    if it is : password authentication failed , its the username or the value , else tofix the database connection error, ensure your Azure PostgreSQL Flexible Server allows standard "PostgreSQL authentication" rather than just Entra ID only , and verify that your Key Vault password secret contains no hidden trailing spaces or newline characters..

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pilladi Padma Sai Manisha 6,430 Reputation points Microsoft External Staff Moderator
    2026-03-31T21:57:03.51+00:00

    Hi ahd,
    Thankyou for reaching microsoft Q&A!
    Thanks for the clarification — since authentication is now working, the issue is most likely related to permissions and how migrations are being executed, not connectivity.

    In Azure Database for PostgreSQL Flexible Server, creating a new database is typically restricted to the admin user defined at server creation. If your migration process is trying to run CREATE DATABASE, it will fail unless you are using that admin role. The recommended approach is to create the database upfront using the portal, CLI, or admin user, and then use migrations only for schema changes like tables and indexes.

    You should also verify that the user you are using has sufficient permissions on the target database. Even if login succeeds, migrations can fail if the user does not have rights on the schema. You can grant access using:

    GRANT ALL PRIVILEGES ON DATABASE your_db TO your_user;

    Another important point is how migrations are executed. Running migrations from an Azure App Service during startup is not always reliable, especially for one-time or deployment-time operations. A better approach is to execute migrations from your CI/CD pipeline using an agent that has network access to the private database, such as a self-hosted agent inside the VNet. You can also use a separate job or container dedicated to running migrations.

    Since your database is private, make sure that whatever process is running the migrations has proper VNet integration and can resolve the database’s private DNS endpoint correctly.

    For Next.js or Node.js-based applications like Payload CMS, migrations are usually handled using tools such as Prisma, Knex, or Sequelize. For example, with Prisma you can run npx prisma migrate deploy, and with Knex you can run knex migrate:latest. These commands should be executed from an environment that has both correct permissions and network access.

    , ensure the database is pre-created using an admin account, grant proper schema permissions to your application user, and run migrations from a controlled environment like a pipeline or dedicated job rather than relying on App Service startup.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.