How to connect & deploy to an Azure Function inside a vNet (that is using private endpoints) using Azure VPN Gateway?

constantin dorin 21 Reputation points
2022-11-16T04:49:44.753+00:00

In order to deploy my Azure function code to an Azure Function deployed inside a vNet (using private endpoints), I needed to connect my local machine to the vNet running in Azure using Azure VPN Gateway.

My Azure Functions were deployed inside a vNet (not directly publicly exposed). I deployed them inside the vNet using private endpoints to ensure that they were only accessed via my reverse proxy (Azure Application Gateway).

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,577 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 47,491 Reputation points Microsoft Employee
    2022-11-16T08:43:53.44+00:00

    Hi @constantin dorin ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to access Azure Function in a VNet via Private EndPoint.

    From our discussion, it appears that the issue is related with FQDN resolution failing with P2S clients.

    With Private EndPoint, there should be private DNS Zones created and linked to the VNet.
    Refer : Azure Private Endpoint DNS configuration
    260862-image.png

    I believe this has been done.
    If not, request you to create the Zones and link it to the VNet.

    Now, the idea here is to make the local computers (connected via P2S) to leverage these private DNS Zones.

    • You would require a custom DNS server hosted in Azure to achieve this.
    • You should configure the VPN client file, to forward the DNS requests for "xxx.azurewebsites.net" to go to this DNS server (Azure)
    • The DNS server should forward all the requests for "xxx.azurewebsites.net" to Azure Wireserver IP 168.63.129.16
    • This scenario is described under, On-premises workloads using a DNS forwarder

    Now, to make your remote server use the custom DNS server for the domain,

    • Refer: Configure Azure VPN Client
    • Follow "Add DNS suffixes" and "Add custom DNS servers" to modify the client configuration file.

    NOTE: You should not directly add the wire server IP in the custom DNS servers, as only VMs in Azure can reach and communicate with the WireServer IP.

    Please feel free to let me know if you have follow-up queries on this.

    Cheers,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


1 additional answer

Sort by: Most helpful
  1. constantin dorin 21 Reputation points
    2022-11-16T11:51:26.897+00:00

    Thank you Kapil.

    Our issue is that we don't have the users in the same local network. We have users , in diffent places, working remotely .
    I know that VPN Gateway sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

    Azure Cloud Services is an example of a platform as a service (PaaS). Like Azure App Service, this technology is designed to support applications that are scalable, reliable, and inexpensive to operate. In the same way that App Service is hosted on virtual machines (VMs), so too is Azure Cloud Services. However, you have more control over the VMs. You can install your own software on VMs that use Azure Cloud Services, and you can access them remotely.

    Our arhitect asked us to provide access to function apps, using Azure VPN, but without using VMs. I configured the Azure VPN - P2S, I configured and installed the certification. I downloaded the VPN config files. I used an Azure VM's to test the VPN connectivity and everything is ok .

    What we want to achive is that we want to provide the function app link to the users (the users will be connected to Azure VPN , the certficate's will be installed) and from the browser(Edge,Chrome) the users should be able to access the function app link privately.

    The users are connected to Azure VPN, the users ip it's still the ISP IP, not Azure VPN ip, because of that, at the moment, the users are not able to access the function app link.

    My question will be now : 1. Do we have any other option to provide access to the private function app link without using an Azure VM's, from internet facing browser?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.