Reputation: 353
Access Azure Private Endpoint from on-premise
Context
I have a hub-spoke network architecture in Azure and the hub vnet has a site-to-site VPN connection with on-premise.
I have a storage account that I want to access privately. So, I created a private endpoint in the spoke vnet and I connected the hub vnet with the privatelink.blob.core.windows.net private DNS zone.
To resolve the storage account private link from on-prem, I added an Azure Firewall in the hub vnet acting as a DNS proxy and all traffic for privatelink.core.windows.net is sent to this firewall.
This setup is summarized here.
Problem
When I do a nslookup [xxx].blob.core.windows.net, the first time I get the storage account private IP. BUT, subsequently, I get the storage account public IP.
Question
How is this possible ?
My guess
First attempt
- Client sends request for
[xxx].blob.core.windows.netto the on-prem DNS server - The on-prem DNS server forwards the request to the hub firewall
- The hub firewall forwards the request to Azure DNS
- Azure DNS responds that
[xxx].blob.core.windows.netis a CNAME for[xxx].privatelink.blob.core.windows.netwhich in turn is a CNAME forblob.[yyy].store.core.windows.netand resolves to the private IP
Subsequent attempts
- Client sends request for
[xxx].blob.core.windows.netto the on-prem DNS server - The on-prem DNS server sees in its cache that
[xxx].blob.core.windows.netis a CNAME forblob.[yyy].store.core.windows.netand tries to resolve that name - The on-prem DNS server resolves the public IP
Upvotes: 1
Views: 8881
Answers (2)
Reputation: 92
I have the same problem, and found someone may have solved it by adding DNS configuration to Azure VPN Client (on Windows).
resolving private dns zone over point-to-site
I have not tried this solution myself but found a workaround by adding mapping entry to host file in C:Windows/system32/driver/etc system folder.
Upvotes: 0
Reputation: 31452
When you create a private endpoint for the storage account, it doesn't mean the storage account can't be accessible from the Internet. It only means you can access the storage account from both VNet and Internet. You can understand it from the screenshot below:
So if you only want the storage account to be accessible only from the hub VNet, you need to change the Allow access from into Selected networks, and the selected network in the hub VNet.
Upvotes: 0
Related Questions
- Private endpoint in Azure
- Cross-subscription Private Endpoint in Azure
- App Gateway configuration with Private Endpoint enabled web apps
- Azure private DNS Server dosnt contain the CName record for the private endpoint
- Access on-premise server from app service
- Azure Application Gateway private ip dns resolution
- Private endpoint with virtual network gateway
- Azure How can I call Azure Private Endpoint (Azure Private Link service) by private IP inside of VNET
- Azure link VNET to Private DNS with Azure CLI
- How to access Azure VM from App Service in virtual network by private DNS name?