diff --git a/internal/services/postgres/postgresql_flexible_server_resource.go b/internal/services/postgres/postgresql_flexible_server_resource.go
index 2eec141b97b3..1b41dc0cbfe8 100644
--- a/internal/services/postgres/postgresql_flexible_server_resource.go
+++ b/internal/services/postgres/postgresql_flexible_server_resource.go
@@ -278,7 +278,8 @@ func resourcePostgresqlFlexibleServer() *pluginsdk.Resource {
 
 			"public_network_access_enabled": {
 				Type:     pluginsdk.TypeBool,
-				Computed: true,
+				Optional: true,
+				Default:  true,
 			},
 
 			"replication_role": {
@@ -781,7 +782,7 @@ func resourcePostgresqlFlexibleServerUpdate(d *pluginsdk.ResourceData, meta inte
 		}
 	}
 
-	if d.HasChange("private_dns_zone_id") {
+	if d.HasChange("private_dns_zone_id") || d.HasChange("public_network_access_enabled") {
 		parameters.Properties.Network = expandArmServerNetwork(d)
 	}
 
@@ -978,6 +979,12 @@ func expandArmServerNetwork(d *pluginsdk.ResourceData) *servers.Network {
 		network.PrivateDnsZoneArmResourceId = utils.String(v.(string))
 	}
 
+	publicNetworkAccessEnabled := servers.ServerPublicNetworkAccessStateEnabled
+	if !d.Get("public_network_access_enabled").(bool) {
+		publicNetworkAccessEnabled = servers.ServerPublicNetworkAccessStateDisabled
+	}
+	network.PublicNetworkAccess = pointer.To(publicNetworkAccessEnabled)
+
 	return &network
 }
 
diff --git a/internal/services/postgres/postgresql_flexible_server_resource_test.go b/internal/services/postgres/postgresql_flexible_server_resource_test.go
index 17ff0b543179..a5bbe6dc83aa 100644
--- a/internal/services/postgres/postgresql_flexible_server_resource_test.go
+++ b/internal/services/postgres/postgresql_flexible_server_resource_test.go
@@ -583,6 +583,27 @@ func TestAccPostgresqlFlexibleServer_updateOnlyWithStorageTier(t *testing.T) {
 	})
 }
 
+func TestAccPostgresqlFlexibleServer_publicNetworkAccessEnabled(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_postgresql_flexible_server", "test")
+	r := PostgresqlFlexibleServerResource{}
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.publicNetworkAccessEnabled(data, false),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("administrator_password", "create_mode"),
+		{
+			Config: r.publicNetworkAccessEnabled(data, true),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep("administrator_password", "create_mode"),
+	})
+}
+
 func (PostgresqlFlexibleServerResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := servers.ParseFlexibleServerID(state.ID)
 	if err != nil {
@@ -781,18 +802,19 @@ resource "azurerm_private_dns_zone_virtual_network_link" "test" {
 }
 
 resource "azurerm_postgresql_flexible_server" "test" {
-  name                   = "acctest-fs-%[2]d"
-  resource_group_name    = azurerm_resource_group.test.name
-  location               = azurerm_resource_group.test.location
-  administrator_login    = "adminTerraform"
-  administrator_password = "QAZwsx123"
-  version                = "13"
-  backup_retention_days  = 7
-  storage_mb             = 32768
-  delegated_subnet_id    = azurerm_subnet.test.id
-  private_dns_zone_id    = azurerm_private_dns_zone.test.id
-  sku_name               = "GP_Standard_D2s_v3"
-  zone                   = "1"
+  name                          = "acctest-fs-%[2]d"
+  resource_group_name           = azurerm_resource_group.test.name
+  location                      = azurerm_resource_group.test.location
+  administrator_login           = "adminTerraform"
+  administrator_password        = "QAZwsx123"
+  version                       = "13"
+  backup_retention_days         = 7
+  storage_mb                    = 32768
+  delegated_subnet_id           = azurerm_subnet.test.id
+  private_dns_zone_id           = azurerm_private_dns_zone.test.id
+  public_network_access_enabled = false
+  sku_name                      = "GP_Standard_D2s_v3"
+  zone                          = "1"
 
   high_availability {
     mode                      = "ZoneRedundant"
@@ -857,19 +879,20 @@ resource "azurerm_private_dns_zone_virtual_network_link" "test" {
 }
 
 resource "azurerm_postgresql_flexible_server" "test" {
-  name                   = "acctest-fs-%[2]d"
-  resource_group_name    = azurerm_resource_group.test.name
-  location               = azurerm_resource_group.test.location
-  administrator_login    = "adminTerraform"
-  administrator_password = "123wsxQAZ"
-  version                = "13"
-  backup_retention_days  = 10
-  storage_mb             = 65536
-  storage_tier           = "P6"
-  delegated_subnet_id    = azurerm_subnet.test.id
-  private_dns_zone_id    = azurerm_private_dns_zone.test.id
-  sku_name               = "GP_Standard_D2s_v3"
-  zone                   = "2"
+  name                          = "acctest-fs-%[2]d"
+  resource_group_name           = azurerm_resource_group.test.name
+  location                      = azurerm_resource_group.test.location
+  administrator_login           = "adminTerraform"
+  administrator_password        = "123wsxQAZ"
+  version                       = "13"
+  backup_retention_days         = 10
+  storage_mb                    = 65536
+  storage_tier                  = "P6"
+  delegated_subnet_id           = azurerm_subnet.test.id
+  private_dns_zone_id           = azurerm_private_dns_zone.test.id
+  public_network_access_enabled = false
+  sku_name                      = "GP_Standard_D2s_v3"
+  zone                          = "2"
 
   high_availability {
     mode                      = "ZoneRedundant"
@@ -1378,3 +1401,20 @@ resource "azurerm_postgresql_flexible_server" "test" {
 }
 `, r.template(data), data.RandomInteger, storageMb, storageTier)
 }
+
+func (r PostgresqlFlexibleServerResource) publicNetworkAccessEnabled(data acceptance.TestData, publicNetworkAccessEnabled bool) string {
+	return fmt.Sprintf(`
+%s
+resource "azurerm_postgresql_flexible_server" "test" {
+  name                          = "acctest-fs-%d"
+  resource_group_name           = azurerm_resource_group.test.name
+  location                      = azurerm_resource_group.test.location
+  administrator_login           = "adminTerraform"
+  administrator_password        = "QAZwsx123"
+  version                       = "12"
+  sku_name                      = "GP_Standard_D2s_v3"
+  zone                          = "2"
+  public_network_access_enabled = %t
+}
+`, r.template(data), data.RandomInteger, publicNetworkAccessEnabled)
+}
diff --git a/website/docs/r/postgresql_flexible_server.html.markdown b/website/docs/r/postgresql_flexible_server.html.markdown
index 55966e31b38a..a064064450f0 100644
--- a/website/docs/r/postgresql_flexible_server.html.markdown
+++ b/website/docs/r/postgresql_flexible_server.html.markdown
@@ -59,15 +59,16 @@ resource "azurerm_private_dns_zone_virtual_network_link" "example" {
 }
 
 resource "azurerm_postgresql_flexible_server" "example" {
-  name                   = "example-psqlflexibleserver"
-  resource_group_name    = azurerm_resource_group.example.name
-  location               = azurerm_resource_group.example.location
-  version                = "12"
-  delegated_subnet_id    = azurerm_subnet.example.id
-  private_dns_zone_id    = azurerm_private_dns_zone.example.id
-  administrator_login    = "psqladmin"
-  administrator_password = "H@Sh1CoR3!"
-  zone                   = "1"
+  name                          = "example-psqlflexibleserver"
+  resource_group_name           = azurerm_resource_group.example.name
+  location                      = azurerm_resource_group.example.location
+  version                       = "12"
+  delegated_subnet_id           = azurerm_subnet.example.id
+  private_dns_zone_id           = azurerm_private_dns_zone.example.id
+  public_network_access_enabled = false
+  administrator_login           = "psqladmin"
+  administrator_password        = "H@Sh1CoR3!"
+  zone                          = "1"
 
   storage_mb   = 32768
   storage_tier = "P30"
@@ -118,6 +119,10 @@ The following arguments are supported:
 
 ~> **Note:** There will be a breaking change from upstream service at 15th July 2021, the `private_dns_zone_id` will be required when setting a `delegated_subnet_id`. For existing flexible servers who don't want to be recreated, you need to provide the `private_dns_zone_id` to the service team to manually migrate to the specified private DNS zone. The `azurerm_private_dns_zone` should end with suffix `.postgres.database.azure.com`.
 
+* `public_network_access_enabled` - (Optional) Specifies whether this PostgreSQL Flexible Server is publicly accessible. Defaults to `true`.
+
+-> **Note:** `public_network_access_enabled` must be set to `false` when `delegated_subnet_id` and `private_dns_zone_id` have a value.
+
 * `high_availability` - (Optional) A `high_availability` block as defined below.
 
 * `identity` - (Optional) An `identity` block as defined below.
@@ -247,8 +252,6 @@ In addition to the Arguments listed above - the following Attributes are exporte
 
 * `fqdn` - The FQDN of the PostgreSQL Flexible Server.
 
-* `public_network_access_enabled` - Is public network access enabled?
-
 ## Timeouts
 
 The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions: