Azure SQL Private Endpoint DNS problem

Question

Hi

I have deployed a private endpoint for an Azure SQL DB service. Now the problem I am having is figuring out how to setup the correct DNS entires to allow onpremise users to connect to the SQL DB service over the S2S VPN.

After reading the following it looks like i need to create a DNS forward entry for the FQDN of the SQL DB to work properly (e.g. SqlDbInstanceName.databases.windows.net).

How would I setup my AD DNS to forward traffic for that FQDN to the IP? Do I have to go an create a whole new forward lookup zone etc. or is there something simpler. The documentation states "Use your custom DNS server. You can use your own DNS server to override the DNS resolution for a given private link resource." This is what I am trying to confirm using Active Directory DNS

Answer 1

Hello,

Got blocked days ago on the same subject when users from On-Premises network tried to reach my Private Endpoint over S2S VPN, sharing below the solution.

Overview of the solution:
Forward DNS request to a DNS VM proxy located on Azure.
The DNS VM proxy is in a vnet that has a link with your Azure private DNS zones hosting the "privatelink" recommended DNS zones.

Detail of the solution:

1. Create the Azure private dns zone “privatelink.database.core.windows.net” with the DNS A record “mysqlservername.privatelink.database.core.windows.net” that returns the IP of my Azure SQL Server private endpoint’s IP.
2. Use a VM DNS proxy, this VM’s vNet is linked to the upper mentioned Azure private dns zone. This DNS VM forwards DNS request to Azure DNS IP 168.63.129.16. Here, a solution could be to use Azure AD DS as the DNS proxy, it’s natively configured to forward dns request to 168.63.129.16.
3. Use a DNS conditional forwarder on the On-Premises DNS servers to forward dns requests for the DNS zone “mysqlservername.database.core.windows.net” to the DNS proxy on Azure (in my context, to the 2 private Ips of my Azure AD DS service).

Feature request:
A feature request has been published here to simplify Private Endpoint DNS resolution from On-Premises.

Regards,

James

Answer 2

Hi,

When you create the Private link for the SQL service named SqlDbInstancename, a CNAME is created for SqlDbInstanceName.databases.windows.net to SqlDbInstanceName.privatelink.databases.windows.net.

In your On-Premises, map your SqlDbInstanceName.databases.windows.net FQDN to the private IP of the private endpoint in your DNS server. For the resources in Azure VNET to access the resource, private DNS Zone needs to be created to point SqlDbInstanceName.priavtelink.databases.windows.net to the private endpoint.

Answer 3

Hi @MattMellifont-3212,

The answers you got are totally correct, and the one from @JamesDumont is very complete. Let me also give you a heads up for a GitHub document at the link https://github.com/dmauser/PrivateLink, where you can find a lot of information on how private endpoint works, and the common issues and topologies related to DNSs, explained in a different way of the Microsoft official documentation.

To directly answer your question, the only thing you need is "something" that will translate your FQDN of your Azure service (let's assume an Az SQL) from mysqlservername.database.core.windows.net to the private IP of your private endpoint NIC. To do that, without much harm, you can setup a DNS zone on your on-prem server with the full FQDN of it (mysqlservername.database.core.windows.net), then define an A record for the root of that zone to the IP of the private endpoint. And voilá, you have your on-prem DNS server resolving the FQDN to the private IP without deploying anything else on Azure.

Keep in mind this approach has some cons, for example, if you have a large set of private endpoints, it will be difficult to manage all, and therefore, the solution that @JamesDumont described is the best one.

Hope this helps! Ricardo

Answer 4

Hi i agree with James i have exactly the same problems in a Point to site VPN configuration and I unblock the situation by adding a simple dns forwarder which forward requests to Azure Wire DNS 168.63.129.16.