Resolving DNS names for Azure private endpoint of another company, when using private endpoint ourselves

Arnaud Rigole 126 Reputation points
2022-09-19T15:16:29.903+00:00

Hello,

It was hard to find an explicit title for that issue...

We got a DNS server hosted in Azure which serves as a relay/conditional forwarder for the private DNS zones we have in our Azure tenant. Following the Microsoft documentation for private endpoints DNS resolution, the conditional forwarding for these private DNS zones is sent to the Azure DNS 168.63.129.16. Among these private zones we got this privatelink.blob.core.windows.net, which is used by the private endpoints you can create for your storage accounts. At this point, everything works and we can resolve DNS names for our personalized private zones and privatelink... zones in Azure.

When you create a private endpoint on a publicly-accessible blob in storage endpoint, Azure adds a CNAME from the original "public" name mystorageaccount.blob.core.windows.net. to mystorageaccount.privatelink.blob.core.net. So when you request your storage account DNS name, it is translated to this privatelink FQDN and your private IP is returned.

The problem is that there are other people in the world which use Azure blobs & private endpoints. So when we try to resolve an external blob name which has a private link from our internal network , like someexternalstgaccount.blob.core.windows.net this is resolved as a CNAME of someexternalstgaccount.privatelink.blob.core.windows.net. So the DNS request is transfered to our own Azure DNS server/relay, which claims to handle the zone in its conditional forwarder privatelink.blob.core.windows.net. Finally, the name someexternalstgaccount is not found in our own tenant private DNS zone privatelink.blob.core.windows.net, and the request fails...

Every cases described here https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns does not mention the resolution of the example azsql1.database.windows.net from the outside of the corporate network...

What am i missing, how do you manage this ? You create conditional forwarding for all your FQDNs ?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
599 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
469 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,501 Reputation points Microsoft Employee
    2022-09-26T11:45:18.117+00:00

    Hi @Arnaud Rigole ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that we are not able to resolve Storage Accounts with private endPoints over Internet/External Network.

    Currently, this is a known issue.

    You can refer to the suggestions and recommended solutions for this scenario here:
    https://github.com/dmauser/PrivateLink/tree/master/Issue-Customer-Unable-to-Access-PaaS-AfterPrivateLink

    Let me know if you require additional details on this.

    Thanks,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments