Share via

Is it possible to resolve Azure KeyVault public DNS records with Private IP without creating a virtual link to a peered VNet?

Gerald Prendi 0 Reputation points
2024-07-22T15:11:59.98+00:00

I have created a private endpoint for my Azure KeyVault with a private DNS zone and linked it to my subnet. There is a VNet which is peered to the VNet of the KeyVault, and the two VNets can communicate using private IPs. However, the peer VNet cannot resolve the private IP of the Key Vault because I cannot create a virtual link to it due to a lack of permissions in the peer VNet. The peered VNet lives on another tenant and has a separate subscription.

Are there any alternative ways to resolve the public DNS record with the private internal IP? I am looking for suggestions.

Thank you for any help you can provide.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,192 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
634 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,307 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 7,286 Reputation points
    2024-07-22T16:39:22.64+00:00

    Hello Gerald Prendi,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you would like a suggestion if it's possible to resolve Azure KeyVault public DNS records with Private IP without creating a virtual link to a peered VNet due to lack of permission to create a virtual link in another tenant.

    Solution

    Yes, there are a few alternative methods to resolve the public DNS record of your Azure KeyVault with its private internal IP without needing a virtual link to the peered VNet. You will need to understand that resolving Azure KeyVault public DNS records with a private IP address without creating a virtual link to a peered VNet is possible, but not straightforward, as Azure KeyVault is designed to be accessed over the public internet or via private endpoints. However, your given scenario where you lack permissions to create a virtual link for the peered VNet due to it being in a different tenant and subscription, you can use a custom DNS server within the VNet of the KeyVault to resolve the private DNS name from the peered VNet. Basic instruction that you can do are the followings:

    1. Setting Up a Custom DNS Server by deploy this DNS Server VM in the KeyVault VNet: Starting by setting up a virtual machine in the VNet where your KeyVault is located, then install and configure a DNS server on this VM. You can use software like BIND (for Linux) or Windows Server DNS.
    2. Configure the DNS server to forward DNS queries for the KeyVault's private DNS zone to Azure's private DNS service and this will ensure that any DNS query for the KeyVault's DNS name will be resolved to the private IP address.
    3. In the VNet where the KeyVault resides, update the DNS server settings to point to the custom DNS server VM. Because any DNS query from within this VNet will be handled by your custom DNS server.
    4. In the peered VNet (even though it’s in a different tenant), you can update the DNS server settings to point to the custom DNS server VM's IP address. Also, this will allow VMs in the peered VNet to resolve the KeyVault’s private DNS name via the custom DNS server.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam