Private dns resolver for storage accounts but still need public IPs internally

Richard Duane Wolford Jr 206

We have several storage accounts with private endpoints. We've set up conditional forwarders to a private dns resolve (such as blob.storage.windows.net) so that the private IP is returned. However, some of our storage accounts, even when accessed internally, need the public IP of the storage account. We were going to add A records to the private DNS zones but aren't sure if this is the best way, could we get some advice?

1 answer

akinbade abiola 13,565 Reputation points

2024-08-19T22:39:45.5066667+00:00

If you only have a few storage accounts needing public IPs, adding manual A records in the private DNS zone might be the most straightforward approach.

However,It may not be the best solution in the long run. I would recommend using Azure Private DNS Resolver with custom forwarding rules. This provides a flexible, scalable solution that can be easily managed and modified as your needs change.

https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/azure-dns-private-resolver

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola
Please sign in to rate this answer.
Richard Duane Wolford Jr 206 Reputation points

2024-08-20T16:03:16.9966667+00:00

I read through the page but am still not clear on how exactly to proceed. Right now we forward directly to the resolver in Azure, should we first forward to the private resolver and then have the Azure servers a second on our on-prem DNS servers, so that say blob.core.windows.net is set as a conditional forwarder, with the first forwarder being the private DNS zone and the second being the Azure DNS servers?

Richard Duane Wolford Jr 206 Reputation points

2024-08-20T16:07:13.5433333+00:00

Hi, just testing, left a reply but didn't see it appear.

KapilAnanth-MSFT 43,461 Reputation points Microsoft Employee

2024-08-26T11:29:58.0933333+00:00

Richard Duane Wolford Jr,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

In cases where you need both Public IP of storage accounts resolved in an existing Private DNS Zone set up

You should use the A record only

While this is not the recommended approach as mentioned by akinbade abiola, all other methods would be equally challenging

You have to make sure that the IP hasn't changed periodically, and if it has changed - you have to update the Private DNS Zone

You can also consider updating the local host file of the clients provided they are in small numbers.

P.S : Azure Private DNS Resolver still requires you to update the Private DNS Zone. So if you do not hvae any other requirement to use a Private DNS Resolver other than public IP resolution, please continue to work on the existing set up

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Private dns resolver for storage accounts but still need public IPs internally

1 answer

Your answer