Azure App Service cannot connect to Supabase pooler (5432/6543)

Younesh Mahaseth 0 Reputation points

We have a production outage on Azure App Service (Linux container, app: api-gpta). From inside Kudu SSH, DNS resolves for aws-0-ap-southeast-2.pooler.supabase.com, but TCP connection fails to both ports 5432 and 6543. Commands used in Kudu:

  • getent hosts aws-0-ap-southeast-2.pooler.supabase.com (resolves)
  • timeout 10 bash -lc 'cat < /dev/null > /dev/tcp/aws-0-ap-southeast-2.pooler.supabase.com/5432' && echo OK || echo FAIL (FAIL)
  • timeout 10 bash -lc 'cat < /dev/null > /dev/tcp/aws-0-ap-southeast-2.pooler.supabase.com/6543' && echo OK || echo FAIL (FAIL)

Application logs show Prisma P1001: “Can’t reach database server at ...:6543”. Same code and credentials work locally, so this appears to be Azure outbound connectivity/SNAT path issue from this App Service environment.

Please investigate outbound networking from this worker/stamp to Supabase pooler endpoints.`

  1. Aditya N 2,990 Reputation points Microsoft External Staff Moderator

    Hello @Younesh Mahaseth

    Thank you for reaching out Microsoft Q&A. Please could you confirm if this is already existing setup or newly created one.

    Please could you look into

    Diagnose and solve problems > Availability & Performance > SNAT Port Exhaustion.

  2. Younesh Mahaseth 0 Reputation points

    Hi Aditya, its an existing setup.

  3. Praneeth Maddali 10,460 Reputation points Microsoft External Staff Moderator

    Hi @Younesh Mahaseth

    From deep investigation looks like its related to your Supabase connectivity problem.

    The root cause is SNAT port exhaustion on outbound connections from your Linux container instances. This is why DNS resolution works in Kudu, but TCP connections to the Supabase pooler fail on both ports. The database errors then lead to unhandled exceptions (HTTP 500s), container restarts, high CPU/load, and the 502/503 responses you're seeing.

    Recommended Fixes

    1. Immediate Steps (Start Here)
    • Switch to Supabase’s pooler connection string (Transaction mode on port 6543 works best with Prisma). You can copy the correct string from your Supabase Dashboard > Database >Connect.
    • Add the following App Setting and restart the app: 
       WEBSITE_NETWORK_LINUX_OUTBOUND_DISABLE_IPV6 = true
      • Restart the App Service to reset SNAT ports.

    Fix SNAT Exhaustion (Root Cause)
    Short-term: Scale up your App Service Plan to a higher SKU. Higher SKUs provide more pre-allocated SNAT ports per instance.

    Recommended long-term solution: Configure Regional VNet Integration + NAT Gateway. This routes outbound traffic through dedicated IPs and greatly reduces SNAT limitations.

    High-level steps:

    1. Enable Regional VNet Integration for your App Service.
    2. Add a NAT Gateway to the integration subnet.
    3. Add the app setting WEBSITE_VNET_ROUTE_ALL=1.

    Application Best Practice

    • Ensure your Prisma client is instantiated once (as a singleton) and reuses connections properly. Creating new database connections on every request significantly worsens SNAT exhaustion.

    Reference :

    https://learn.microsoft.com/en-us/azure/nat-gateway/quickstart-create-nat-gateway?tabs=portal

    https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration

    https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-intermittent-outbound-connection-errors

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "upvote" if the information helped you. This will help us and others in the community as well.

Sign in to comment
Sign in to answer

Your answer