Azure Private endpoint access from VPN

Question

I have a keyvault with a private endpoint. I want to access it via VPN, using azure cli.

I deployed virtual network gateway and I can connect to my vnet (validated by runing ip config).

Running

nslookup my-keyvault-1.vault.azure.net

gives me:

Server:  UnKnown
Address:  192.168.86.1

Non-authoritative answer:
Name:    azkms-prod-weu-b.westeurope.cloudapp.azure.com
Address:  20.51.102.232
Aliases:  my-keyvault-1.vault.azure.net
          my-keyvault-1.privatelink.vaultcore.azure.net
          data-prod-weu.vaultcore.azure.net
          data-prod-weu-region.vaultcore.azure.net

But running:

az keyvault secret list --vault-name my-keyvault-1

is giving me an error:

(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.

How can I access my keyvault via the VPN? Any help is much appreciated.

Answer 1

as ns lookup shows, you only receive dns names and not an IP address for the keyvault. This is, because the VPN does not provide you with DNS, but just with network access.

What you need, is your local DNS server to become aware of the endpoints these DNS entries should show to. You can either do this by manually configuring your hosts file (good enough for development purposes)

1.2.3.4    my-keyvault-1.vault.azure.net

or you can do the same thing on your local/on premises DNS Server

That's the easiest and fastest way to solve this. However, if you are implementing a big setup (=dynamic change of resources, potentialy hundreds or thousands of resources) you should look into a private DNS resolver:

Here is the link to the old, more complex but cheap way: https://learn.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network#create-custom-dns-server

And here to the modern, less complex but expensive way: https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns#azure-dns-private-resolver