Azure SQL Private Endpoint DNS problem

Matt Mellifont 11 Reputation points
2020-03-09T04:40:16.247+00:00

Hi

I have deployed a private endpoint for an Azure SQL DB service. Now the problem I am having is figuring out how to setup the correct DNS entires to allow onpremise users to connect to the SQL DB service over the S2S VPN.

After reading the following it looks like i need to create a DNS forward entry for the FQDN of the SQL DB to work properly (e.g. SqlDbInstanceName.databases.windows.net).

How would I setup my AD DNS to forward traffic for that FQDN to the IP? Do I have to go an create a whole new forward lookup zone etc. or is there something simpler. The documentation states "Use your custom DNS server. You can use your own DNS server to override the DNS resolution for a given private link resource." This is what I am trying to confirm using Active Directory DNS

Microsoft Entra
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. James Dumont le Douarec 36 Reputation points MVP
    2020-04-20T14:15:33.303+00:00

    Hello,

    Got blocked days ago on the same subject when users from On-Premises network tried to reach my Private Endpoint over S2S VPN, sharing below the solution.

    Overview of the solution:
    Forward DNS request to a DNS VM proxy located on Azure.
    The DNS VM proxy is in a vnet that has a link with your Azure private DNS zones hosting the "privatelink" recommended DNS zones.

    Detail of the solution:

    1. Create the Azure private dns zone “privatelink.database.core.windows.net” with the DNS A record “mysqlservername.privatelink.database.core.windows.net” that returns the IP of my Azure SQL Server private endpoint’s IP.
    2. Use a VM DNS proxy, this VM’s vNet is linked to the upper mentioned Azure private dns zone. This DNS VM forwards DNS request to Azure DNS IP 168.63.129.16. Here, a solution could be to use Azure AD DS as the DNS proxy, it’s natively configured to forward dns request to 168.63.129.16.
    3. Use a DNS conditional forwarder on the On-Premises DNS servers to forward dns requests for the DNS zone “mysqlservername.database.core.windows.net” to the DNS proxy on Azure (in my context, to the 2 private Ips of my Azure AD DS service).

    Feature request:
    A feature request has been published here to simplify Private Endpoint DNS resolution from On-Premises.

    Regards,

    James

    2 people found this answer helpful.
    0 comments No comments

  2. Ricardo Costa 76 Reputation points
    2020-06-18T19:22:39.16+00:00

    Hi @MattMellifont-3212,

    The answers you got are totally correct, and the one from @JamesDumont is very complete. Let me also give you a heads up for a GitHub document at the link https://github.com/dmauser/PrivateLink, where you can find a lot of information on how private endpoint works, and the common issues and topologies related to DNSs, explained in a different way of the Microsoft official documentation.

    To directly answer your question, the only thing you need is "something" that will translate your FQDN of your Azure service (let's assume an Az SQL) from mysqlservername.database.core.windows.net to the private IP of your private endpoint NIC. To do that, without much harm, you can setup a DNS zone on your on-prem server with the full FQDN of it (mysqlservername.database.core.windows.net), then define an A record for the root of that zone to the IP of the private endpoint. And voilá, you have your on-prem DNS server resolving the FQDN to the private IP without deploying anything else on Azure.

    Keep in mind this approach has some cons, for example, if you have a large set of private endpoints, it will be difficult to manage all, and therefore, the solution that @JamesDumont described is the best one.

    Hope this helps! Ricardo

    0 comments No comments

  3. Ibrahima MBODJI 6 Reputation points
    2020-09-26T13:54:35.697+00:00

    Hi i agree with James i have exactly the same problems in a Point to site VPN configuration and I unblock the situation by adding a simple dns forwarder which forward requests to Azure Wire DNS 168.63.129.16.

    0 comments No comments

  4. Sachindra Devanarayana 5 Reputation points
    2023-07-15T21:00:55.59+00:00

    Problem Overview: When attempting to connect to Azure SQL databases through Private Link using SSMS from an on-premises network, users may encounter DNS resolution issues. The Azure SQL Private Link setup requires the addition of a conditional forwarder for the "privatelink.database.windows.net" domain. However, connecting directly to the IP address or using the Private Link FQDN (<server>.privatelink.database.windows.net) will intentionally fail.(https://learn.microsoft.com/en-us/azure/azure-sql/database/private-endpoint-overview?view=azuresql-db#check-connectivity-using-sql-server-management-studio-ssms) To establish a successful SSMS connection, the correct FQDN format (<server>.database.windows.net) must be used.

    Solution: To resolve the Azure SQL Private Link DNS resolution issue for SSMS connectivity, please follow the step-by-step instructions below, which include the use of Azure DNS Private Resolver:

    Identify the Issue:

    • Experience DNS resolution problems when using SSMS to connect to Azure SQL databases through Private Link from an on-premises network.
    1. Understand the Root Cause:
    • Azure SQL Private Link requires the addition of a conditional forwarder for the "privatelink.database.windows.net" domain.
    • Direct login attempts using the Private Link FQDN or IP address intentionally fail, as the correct FQDN (<server>.database.windows.net) must be specified for SSMS connections.

    Configure Azure DNS Private Resolver:

    • In the Azure portal, navigate to your Virtual Network (VNet) settings.
    • Enable the Azure DNS Private Resolver feature for your VNet, allowing it to resolve DNS queries for resources within Azure.

    Add Conditional Forwarders:

    • Open the DNS management console on the DNS server used in the on-premises network.
    • Add a conditional forwarder for the domain "privatelink.database.windows.net," pointing to the DNS server responsible for resolving Azure services.

    Configure SSMS Connection:

    • Open SSMS on the client machine within the on-premises network.
    • In the "Connect to Server" dialog, enter the Fully Qualified Domain Name (FQDN) of the server (<server>.database.windows.net) instead of the Private Link FQDN or IP address.
    • Provide appropriate authentication details (username and password).

    Test SSMS Connectivity:

    • Click the "Connect" button in SSMS to establish a connection to the Azure SQL database through Private Link.
    • Verify successful login and ensure that you can perform desired operations within SSMS.

    Conclusion: By following the above steps, you can resolve the Azure SQL Private Link DNS resolution issue specifically related to SSMS connectivity from your on-premises network. By enabling Azure DNS Private Resolver and adding the conditional forwarder for the "privatelink.database.windows.net" domain as well as <server>.database.windows.net (both), you can ensure that DNS queries from your on-premises network are resolved correctly to Azure resources. Using the correct FQDN format in SSMS connection settings will enable a successful connection to Azure SQL databases. Remember to keep your DNS configurations up to date to ensure proper connectivity and security for your Azure infrastructure.

    1 person found this answer helpful.
    0 comments No comments

  5. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2020-03-09T06:58:04.51+00:00

    Hi,

    When you create the Private link for the SQL service named SqlDbInstancename, a CNAME is created for SqlDbInstanceName.databases.windows.net to SqlDbInstanceName.privatelink.databases.windows.net.

    In your On-Premises, map your SqlDbInstanceName.databases.windows.net FQDN to the private IP of the private endpoint in your DNS server. For the resources in Azure VNET to access the resource, private DNS Zone needs to be created to point SqlDbInstanceName.priavtelink.databases.windows.net to the private endpoint.