Got blocked days ago on the same subject when users from On-Premises network tried to reach my Private Endpoint over S2S VPN, sharing below the solution.
Overview of the solution:
Forward DNS request to a DNS VM proxy located on Azure.
The DNS VM proxy is in a vnet that has a link with your Azure private DNS zones hosting the "privatelink" recommended DNS zones.
Detail of the solution:
- Create the Azure private dns zone “privatelink.database.core.windows.net” with the DNS A record “mysqlservername.privatelink.database.core.windows.net” that returns the IP of my Azure SQL Server private endpoint’s IP.
- Use a VM DNS proxy, this VM’s vNet is linked to the upper mentioned Azure private dns zone. This DNS VM forwards DNS request to Azure DNS IP 220.127.116.11. Here, a solution could be to use Azure AD DS as the DNS proxy, it’s natively configured to forward dns request to 18.104.22.168.
- Use a DNS conditional forwarder on the On-Premises DNS servers to forward dns requests for the DNS zone “mysqlservername.database.core.windows.net” to the DNS proxy on Azure (in my context, to the 2 private Ips of my Azure AD DS service).
A feature request has been published here to simplify Private Endpoint DNS resolution from On-Premises.