Troubleshooting

Troubleshooting Azure Flexible Server

Azure-specific issues: server parameter changes, azure.extensions allowlist, Event Hub Listen permission.

CREATE EXTENSION fails: "extension is not allow-listed"

Azure Flex requires every extension to be explicitly listed in the azure.extensions server parameter before CREATE EXTENSION works. The fix is straightforward but the error message doesn't tell you about azure.extensions by name, which is why this is the most common Azure setup question.

  1. Server parameters blade.
  2. Find azure.extensions.
  3. Add the extension name (comma-separated for multiple).
  4. Save. No restart needed for azure.extensions itself.
  5. Re-run CREATE EXTENSION.

For SPL-bound extensions (auto_explain, pgaudit, pg_cron) you also need to add them to shared_preload_libraries and restart the server.

ALTER SYSTEM fails "permission denied"

Azure Flex blocks ALTER SYSTEM by design — it would let users edit GUCs in a way that fights with Azure's parameter management. Use the Server parameters blade or the REST API instead. ALTER DATABASE ... SET and ALTER ROLE ... SET are also restricted on some parameters. The error messages are clear about which.

Event Hub: "Listen claim(s) are required"

Your Event Hub connection string is using a Send or Manage policy. Create a Listen-only Shared Access Policy on the Event Hub:

az eventhubs eventhub authorization-rule create   --resource-group myrg --namespace-name mynamespace   --eventhub-name postgres-logs --name monpg-listen --rights Listen

Use the resulting connection string in MonPG. The minimum-privilege thing matters here — a Manage-rights policy in MonPG would let us do more than read your logs, which is more than you want to grant.

Hosted collector can't connect

Server-level firewall must allow 20.107.185.112/29. SSL is required by default on Azure Flex, and MonPG's default require SSL mode matches. If you're on private endpoint mode, the hosted fleet (which lives in a different Azure account) can't reach you — switch to agent mode and run the collector inside the same VNet as your DB.

Server parameter change reverts

Some Azure parameters are managed by Azure and silently reset back: replication settings, certain logging defaults. The "Modified by" column in the Server parameters blade tells you — if it shows "system", you can't override it. This is frustrating but at least it's visible.