This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 79%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hey
we are using a Site-2-Site VPN between Azure Vnet and OnPremise Network combined with a DNS Forwarder.
When deploying a Azure Event Hubs Namespace (Standard Tier) Private Endpoint into the connected Vnet the DNS doesn't get resolved to the private IP and we can't send messages from OnPremise to the Event Hub.
Other Endpoints for example like StorageAccount or Synapse get resolved and can be used correctly.
Is it possible to use the Event Hub Entpoint from OnPremise in combination with Site-2-Site VPN?
Thanks and best regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 57.99999999999999%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Hi @bschroeter
I have that set up and working, may need more details from your side.
did you also create "service endpoints"? https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-service-endpoints
Do you have a proxy/firewall between onprem and azure? if yes you also need to open the AMQP ports if you are using that:https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-protocol-guide#amqp-outbound-port-requirements
Hey @Bruno Lucas ,
thanks for your response!
We created service endpoints for eventhub and servicebus also tried to allow traffic from vnet but nothing changed. We are using firewall OnPrem but the AMQP Ports are allowed.
Current Setting for Networking in Namespace is "disabled" and only allowed through PrivateEndpoint.
When we call nslookup <namespace-name>.servicebus.windows.net it gets the alias for the privatelink but still resolves to public ip
Error from opening the <namespace-name>.servicebus.windows.net in browser we get "Ip has been prevented to connect to the endpoint. For more information see: Virtual Network service endpoints: Event Hubs: https://go.microsoft.com/fwlink/?linkid=2044192"
What I don't get is why calling nslookup from onpremise resolves to public ip while all over services where we are using resolve to the private ip, it's just the namespace / event hub
Thanks for your help @Bas Pruijn , @Bruno Lucas , @BhargavaGunnam-MSFT !
The problem was a firewall misconfiguration on premise for the servicebus domain names. After fixing the DNS got resolved correctly to private IP and the eventhub could be reached from on premise through private endpoint
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 36%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Hello @bschroeter ,
Glad to know that you were able to resolve the issue.
And thank you for sharing the resolution. I converted your comment to an answer as it helps the community members look for answers to similar questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 59%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
I have seen similar issues in the past. Usually this is when the private DNS zone is not correctly linked to the VNET where your VPN Gateway is hosted. When you create a new service that uses private endpoints, it creates a new privatelink private DNS zone. This new privatelink DNS zone is not automatically linked to your VPN Gateway network, and therefor you might not be able to connect.
You can try this by doing a nslookup <FQDN of your Eventhub> <ip address of your DNS forwarder>
This should result in a private IP address being returned. If your privatelink DNS zones are not linked correctly, you will find the public IP address of your eventhub.
Hey @Bas Pruijn , thanks for your answer, the private endpoint in combination with private dns zone seems correctly setup, we compared the settings to our other private dns zones like for blob or sql, all services get resolved to private ip, but the servicebus endpoint still points to the public ip when calling from onpremise. If we setup a VM in the same vnet/subnet the fqdn of the namespace gets resolved to the local ip but not from onpremise with site-2-site vpn.
Wondering if the servicebus endpoint / the azure namespace service has any restrictions for this setup.
Thank you @Bas Pruijn and @Bruno Lucas
Hello @bschroeter ,
Since the private endpoint in combination with the private DNS zone is set up correctly, I would suggest opening a support case for troubleshooting the issue further. If you don't have a support plan, please let me know. I can enable a one-time support request to work on this.
I am looking forward to hearing from you.