Getting Started

Add a Database — Azure Database for PostgreSQL Flexible Server

Step-by-step for Azure Flex: server-level firewall, azure_pg_admin role, and azure.extensions allowlist.

Azure Flexible Server is the easier of the two Azure PG products to monitor (the other is the retiring Single Server, which we don't support). The two Azure-specific gotchas are the server-level firewall and the azure.extensions allowlist. Get those right and the rest is unsurprising.

Pre-flight

Flex server, PG 13 or higher. Server admin credentials — the user you set during creation, sometimes azureuser, sometimes whatever you typed. Public network access enabled (or, if your security posture forbids it, agent mode in the same VNet).

Server firewall

Open the Networking blade, scroll to firewall rules, and add a rule for MonPG's egress. Azure expects start and end IP rather than CIDR, so split the /29:

Rule name: monpg-fleet
Start IP:  20.107.185.112
End IP:    20.107.185.119

Save. (No restart needed for firewall changes.)

Onboard via the UI

app.monpg.app → Setup → Microsoft Azure → Hosted — Auto-setup. The host looks like my-flex-server.postgres.database.azure.com. Username is your server admin (it's not postgres by default — Flex uses whatever you set). SSL mode require; Azure enforces it.

Test connection, pick databases, click Provision. The DDL we run is the same as RDS: monitor role, pg_stat_statements, monpg schema with two helper functions. No GUC changes.

The azure.extensions trap

Here's the one Azure-specific behavior that catches everyone the first time. Flex won't let you CREATE EXTENSION for any extension that isn't in the azure.extensions server parameter, even if the extension itself is shipped with Postgres. So you need to add it there first.

Server parameters blade → search for azure.extensions → comma-separated list of every extension you want to use:

pg_stat_statements,pgstattuple,hypopg,pg_buffercache,pgaudit,auto_explain

Save. azure.extensions itself doesn't need a restart, but SPL-bound extensions (auto_explain, pgaudit, pg_cron) also need to be added to shared_preload_libraries, which IS restart-bound.

If MonPG's onboarding flow tries to install pgstattuple for you and gets extension "pgstattuple" is not allow-listed, that's the missing azure.extensions entry. Add it, then retry the install from Settings → Servers → Extensions in the MonPG UI.

Logs via Event Hub

The Log Insights setup for Azure is more involved than other clouds because Diagnostic Settings has to route to a destination (Event Hub or Log Analytics) and you separately give MonPG access to consume from there. The Event Hub flow is documented end-to-end on Log Insights Azure, including the "Listen-only Shared Access Policy" gotcha that costs an hour the first time.

If something doesn't work

The usual suspects are the firewall rule (forgot it, wrong IP range, wrong port if you customized) or azure.extensions (you tried CREATE EXTENSION before adding to the allowlist). See Azure troubleshooting for the full list.