Find a more resilient way to handle IP address and firewall settings for PostgreSQL databases

[JasonYeMSFT]

Currently, the extension will attempt to get the current client IP and the firewall settings. If it thinks the IP is not in the permitted list, it prompts to auto-add current IP to the firewall settings. This faces the following challenges.

• The IP we get highly depends on the ISP configuration. The IP address returned by the get IP subroutine only reflects the client IP in the network route to the Get IP service. This IP may be different from the one that is used to connect to the database server. In that case, the extension can never configure the firewall setting correctly.
• Get IP service is unreliable and can be very slow. They occasionally fail or takes many seconds to return results.

[dhpalan]

Hello Jason, Could it be possible that the changes that I observed in the latest version of Azure Resources v0.7.5 is caused by changes implemented for this issue?

Feature to add IP to Postgres firewall rule has stopped working

For details of the issue -> https://github.com/microsoft/vscode-cosmosdb/issues/2204

[JasonYeMSFT]

@dhpalan It's possible. If you want to verify if it's really the case, you can trigger the "auto add firewall rule dialog" in the extension, and write down the IP address being displayed there. Then go to Azure Portal, navigate to your database's network blade. Azure Portal should offer you a button to add your current IP address to the firewall rule. If that IP address doesn't match the one you just wrote down, then this issue is very likely to be the root cause of your problem.

The change I made doesn't solve this problem. It only prevents the extension from infinitely asking users to add the IP address to the firewall rules if it doesn't work. If you see a warning message without letting you to auto-configure the firewall you should go to Azure Portal and try setting it up there.

[dhpalan]

The IP addresses don't always match as I WFH and connect via a VPN. Therefore my browser will show the egress IP of a internet proxy in my corporate network. Whereas the IP address that I must add to the firewall must be my personal IP (The connection to the database never uses the VPN). It's complicated!

If you see a warning message without letting you to auto-configure the firewall you should go to Azure Portal and try setting it up there.

That's exactly what I had to do as the "auto-configure the firewall" dialog box didn't show up as in the past. I used the button in Azure portal (database's network blade) to add my current IP address to the firewall rule.

you can trigger the "auto add firewall rule dialog" in the extension

I wasn't aware that this is possible from the command palette. Found it :) F1 -> PostgreSQL: Configure Firewall

Thanks a lot for your help.

[JasonYeMSFT]

I should consult the Portal team on how we can reliably get the correct IP to add to the firewall settings.

Edit: Azure Portal uses one of its internal API to get the client IP address, but it also claims that "some network environments may not report the actual public-facing IP address needed to access your server. Contact your network administrator if adding your IP address does not allow access to your server." I should rephrase our warning message to elaborate on what's going on.