Azure App Service, VNet Integration and NameResolver

Mike 0 Reputation points
2023-01-29T19:14:28.24+00:00

Hello. I currently have two resource groups. CustomerA and CustomerB. Each resource group has an App Service, an SQL server, a storage account and a VNet.

The VNet is relatively new. So I am working to integrate.

I understand that I can integrate the App Service to the VNet (AppSvcSubnet) and then create a private link from the SQL (PrivateLinkSubnet) and add an endpoint for the storage account too, to the PrivateLinkSubnet.

I've also got the private DNS zone setup. Focussing on SQL, privatelink.database.windows.net is working. CustomerA.privatelink.database.windows.net points to the subnet IP for SQL server.

Using customer a app service console, when I type NameResolver CustomerA.database.windows.net is returns the internal VNet IP 10.1.1.4 and shows me the alias of the private DNS. Which is correct and I understand this is how it is meant to work.

When I try to do the same for CustomerB despite the setup being identical from what I can see, I get the public IP of the SQL server and it shows me 4 aliases. One is the privatedns alias but the rest appear to be public DNS alises within Microsoft.

The idea here is to remove all public access to the SQL server, restricting just VNet access. If the NameResolver result is the public IP that suggests the app service is going out to come back in and that will result in a public access attempt which will deny.

Is there something I'm missing that anyone can think.

Azure SQL Database
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
593 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,140 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
461 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
762 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,916 Reputation points
    2023-01-29T22:07:05.2633333+00:00

    Hi,

    Nor really, if the privatelink is configured it will always be internal resolution that is all the point.This is from the SQL Azure Network article, can you follow the steps listed here as you can disable the access from Public and allow only from internal VNET provided you have setup the internal Privatelink and DNS https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal?source=recommendations

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments
  2. msrini-MSFT 9,256 Reputation points Microsoft Employee
    2023-01-30T04:05:53.71+00:00

    Hi, Can you make sure that the private DNS zone that you created for Customer B Private endpoint is linked to the right vnet? I see that the name resolution is happening for customer B but for some reason the Private DNS zone which has the Private IP record is not getting used. Pleased check if your Private DNS zone for customer B is created and linked in the same way as that of customer A

    0 comments