Azure Database for PostgreSQL + CHIONAsk your Azure Database for PostgreSQL
read-only — no Azure OpenAI tutorial
- Verified read-only SQL
- NL→SQL agent for Azure Postgres
- Reusable AI SQL skills you export to Claude Code, Cursor & Codex
Connect Chion to Azure Database for PostgreSQL read-only, ask "department-level cost trends this quarter?" in plain English, and get verified SQL you can read line by line, an interactive chart, and a portable skill — no Azure OpenAI tutorial, no hand-written keyword blocklist, no code to maintain. See the exact SQL behind every answer.
Verified read-only SQL in under 10 seconds — 1,000-row cap, RLS honored.
Chion turns your Azure Database for PostgreSQL into an AI SQL analyst for conversational analytics — connect read-only, ask in plain English, and turn every verified query into a reusable skill with the SQL skills generator. Credentials are wrapped in an AES-256-GCM vault, every query runs as a read-only SELECT capped at 1,000 rows, and the row-level security on the role you provide is honored on every call. It is the AI SQL workforce your team can point at Flexible Server in two minutes.
Connect Flexible Server read-only in two minutes
What changes when your PostgreSQL lives on Azure.
Flexible Server vs Single Server
Microsoft is retiring Single Server in March 2025. Chion connects to both during the transition, but migrate to Flexible Server for new features and ongoing support.
PgBouncer on port 6432
Azure's built-in pooler answers on port 6432. Use it for high-concurrency teams; connect directly on 5432 otherwise. Chion's read-only query pattern is compatible with transaction pooling.
Firewall rules, not open access
Under Networking, add a firewall rule for the Chion IP range rather than opening the server to the internet. The same least-privilege posture runs through Chion's security model.
TLS 1.2+ with sslmode=require
Chion connects with sslmode=require by default and performs no certificate pinning. Azure Flexible Server enforces TLS 1.2 or higher, so no extra configuration is needed.
Connect today with a dedicated read-only role
Create a dedicated read-only role, hand Chion the password, and you are connected in minutes — no identity-provider setup required. Microsoft Entra ID (Azure AD) authentication is on the enterprise roadmap. See how Chion compiles a verified SQL pipeline end to end.
Read-only is enforced in code — not asked of the model.
Every query passes a two-layer SQL validator before it ever reaches Azure, runs as a read-only SELECT capped at 1,000 rows, and honors the row-level security on the role you provide. The model cannot opt out — the guardrail lives in code, not in a prompt.
Skip the Azure OpenAI tutorial
The MS Learn DIY path has you wire up Azure OpenAI and hand-write a keyword blocklist the model "won't always follow" — a prompt-layer guardrail that leaks. Chion is turnkey: read-only is enforced in code, so there is nothing to wire up and nothing to maintain.
Every answer exports as a SKILL.md
Every verified answer exports as a SKILL.md you run in Claude Code, Cursor, or Codex — your team owns the query, no lock-in.
Example question & SQL
See what Chion generates from a plain-English question.
You ask
"Top 10 customers by total spend this quarter"
Chion generates
SELECT
c.name,
SUM(o.total) AS total_spend
FROM customers c
JOIN orders o ON o.customer_id = c.id
WHERE o.created_at >= date_trunc('quarter', now())
GROUP BY c.name
ORDER BY total_spend DESC
LIMIT 10;Create a read-only Postgres role
Run this once before you connect. Chion enforces read-only at the SQL validator, but a least-privilege role is the canonical pattern.
CREATE ROLE chion_read LOGIN PASSWORD '<strong-password>';
GRANT CONNECT ON DATABASE <dbname> TO chion_read;
GRANT USAGE ON SCHEMA public TO chion_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO chion_read;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO chion_read;Replace <dbname> with your database name. The ALTER DEFAULT PRIVILEGES line ensures new tables are auto-readable.
Connection string format
Reference for parsing. Chion accepts the six fields directly, no string concatenation needed.
postgresql://chion_read:<password>@<server-name>.postgres.database.azure.com:5432/<dbname>?sslmode=requireFinding your Azure Database for PostgreSQL credentials
Azure Portal → your PostgreSQL server → Overview page
Azure Portal → your PostgreSQL server → Overview page
| Field | Where to Find | Default |
|---|---|---|
| Server (Host) | Overview page → Server name | <server>.postgres.database.azure.com |
| Port | Overview or Connection strings page | 5432 |
| Database | Created by default. Check via Connection strings or psql | postgres |
| Schema | Not in portal; default is public | public |
| User | Overview page → Admin username | What you set at creation |
| Password | Set at creation. Reset via Settings → Reset password | (not retrievable) |
Quick steps
- 1.Log in at portal.azure.com
- 2.Search for "Azure Database for PostgreSQL servers"
- 3.Click your server name
- 4.On the Overview page: copy the Server name (this is your host) and note the Admin username
- 5.Click Connection strings in the left sidebar for pre-built connection strings
- 6.Password is what you set during creation; reset via Settings → Reset password if needed
Azure Flexible Server uses port 5432 for direct connections and 6432 for the built-in PgBouncer pooler.
Open Azure Database for PostgreSQL consoleAzure Database for PostgreSQL troubleshooting
Common issues and how to fix them.
Port mismatch: 5432 vs 6432
Azure Flexible Server uses port 5432 for direct connections and port 6432 for the built-in PgBouncer pooler. If you copied the pooler connection string, make sure you also use port 6432 in Chion.
Firewall rule blocking connection
In the Azure Portal, go to your PostgreSQL server → Networking → add a firewall rule allowing the Chion IP range. For initial testing, enable "Allow public access from any Azure service".
Password reset
Go to your server → Settings → Reset password. The new password takes effect immediately.
TLS / SSL handshake failure
Azure requires TLS 1.2 or higher. Chion connects with sslmode=require by default; no extra config needed. If you see SSL errors, verify the server has not enforced TLS 1.3-only and that no firewall is intercepting the handshake.
Official Azure Database for PostgreSQL documentation
Authoritative references from the provider. Opens in a new tab.
- Azure Database for PostgreSQL Flexible Server
Official overview, networking modes, and connection guidance.
- Connect with PgBouncer
Built-in PgBouncer config and the port 6432 pooler endpoint.
- Single Server retirement notice
March 2025 deprecation timeline and migration paths to Flexible Server.
- PostgreSQL CREATE ROLE
Reference for the read-only role used by Chion.
Your credentials are encrypted
All connection credentials are encrypted with AES-256-GCM and stored in an isolated vault. Chion connects with read-only permissions. No INSERT, UPDATE, or DELETE is ever possible. Row-level security policies are honored on every query.
Read our security modelFrequently asked questions
Common questions about using Chion with Azure Database for PostgreSQL.
Does Chion work with Azure Flexible Server?
Can I use the built-in PgBouncer?
Does Chion support Azure Private Link?
Can I use Microsoft Entra ID (Azure AD) authentication?
Single Server is being retired. What should I do?
What TLS version does Chion require?
Other PostgreSQL providers
Chion connects to all major managed PostgreSQL services.
Ready to connect your Azure Database for PostgreSQL database?
Open Chion, enter your credentials, and start asking questions in plain English.
Start your 7-day trial