How to access via Microsoft Azure Storage Explorer a blob storage via private endpoint?

Question

Scenario:

We have a datalake that we want to secure and we want to start using it via a private endpoint connection between our one datalake and service which is cross region. Our service can be represeted as a scaleset with 2 instances in each region with its vnets. Once our service will start using the private endpoint connection we want to be able to disable public internet access but still have the opportunity to connect from on prem device via VPN.

Looks like private DNS zone doesn't work over an Azure P2S VPN Connection. 

Is there a better way than using an Azure Private DNS Resolver to access the private DNS zone?

Answer 1

Hello @Piotr E ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you want to access a blob storage connected to private endpoint via Microsoft Azure Storage Explorer over an Azure P2S VPN Connection and would like to know if there is a better way than using an Azure Private DNS Resolver to access the private DNS zone.

For on-premises workloads to resolve the FQDN of a private endpoint, you need to use a DNS forwarder to resolve the Azure service public DNS zone in Azure.

A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS.

A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall. Or you could use the new Azure service called Azure DNS Private Resolver that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.

Reference: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

Conditional forwarding for Azure Private DNS is natively supported using Azure DNS Private Resolver.

Refer: https://learn.microsoft.com/en-us/azure/dns/private-dns-overview#other-considerations

Usage of Azure DNS Private Resolver service can be found in the below docs:

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#4-on-premises-dns-integration

If you don't want to use Azure Private DNS Resolver, then for P2S VPN clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role. That is required for P2S VPN clients to be able to consume Azure Private DNS Zone which is exposed to 168.63.129.16 via DNS Forwarder/Proxy.

Once you have a DNS forwarder/proxy deployed on Azure, you can define the DNS server at the VNET level or set DNS Server configuration directly on client XLM profile. Post this, you will be able to resolve Private Endpoint entries from your P2S clients.

Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-P2S

https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-dns-servers

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.