Azure DNS Private Resolver is not returning private endpoint IP Address for Forms Recognizer

Anon4343 451

We're using Azure DNS Private Resolver to look up the Private Endpoint for Azure Forms Recognizer. Despite having the Private Endpoint DNS registered in the Private DNS Zone and our on-premises DNS configured with a Conditional Forward to cognitiveservices.azure.com, we are still only receiving the public IP address. Networking properties have public access disabled. All resources are in the same region.

What configuration could be missing?

nslookup - <ip of Azure DNS Private DNS Resolver>

example-formrecognizer01-main.cognitiveservices.azure.com

Name:    vnetproxyv3-use2-prod.eastus2.cloudapp.azure.com
Address:  20.119.156.143
Aliases:  example-formrecognizer01-main.privatelink.cognitiveservices.azure.com
          eastus2.prod.vnet.cog.trafficmanager.net

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-06-13T04:50:06.4033333+00:00
@Anon4343

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

May I ask from where are you doing the DNS queries?

I take it that you are doing this from your OnPremises.

Please confirm

Can you do a nslookup <ip of Azure DNS Private DNS Resolver> from the Hub Vnet (where the Private DNS Resolver is deployed) and share the results?

Is this working

Do you have any DNS forwarding ruleset linked to this VNet?

If so, does is contain a ruleset rule configured to forward queries for the private zone <.cognitiveservices.azure.com> to the inbound endpoint.?

Thanks,

Kapil
KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-06-14T09:05:54.4666667+00:00

@Anon4343

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Anon4343 451 Reputation points

2023-06-14T16:11:59.58+00:00
Hi Kapil, thank you for responding. Here are my answers:

May I ask from where are you doing the DNS queries?

On premises and a VM hosted in Azure. Both utilize Windows DNS servers.

Can you do a nslookup <ip of Azure DNS Private DNS Resolver> from the Hub Vnet (where the Private DNS Resolver is deployed) and share the results?

There are no VMs within the same VNet as the Azure DNS Private Resolver.

Other DNS lookups resolve correctly for Azure services such as azetestmanagement.eastus2.afs.azure.net

nslookup azetestmanagement.eastus2.afs.azure.net

Server: DNS1.tscb.local

Address: 10.140.2.10

Non-authoritative answer:

Name: azetestmanagement.eastus2.privatelink.afs.azure.net

Address: 10.141.9.86

Aliases: azetestmanagement.eastus2.afs.azure.net

Do you have any DNS forwarding ruleset linked to this VNet?

If so, does is contain a ruleset rule configured to forward queries for the private zone <.cognitiveservices.azure.com> to the inbound endpoint.?

No
KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-06-14T16:21:39.43+00:00
@Anon4343

May I know if you got a chance to review my previous comment?

It would be better if we can make sure the Private DNS Resolver is working properly before troubleshooting if the DNS queries are actually forwarder to them.

If possible, I would suggest you deploy a dummyVM in the VNet as the Private DNS Resolver and use it to check the DNS response from Private resolver.

Also, from this VM, can you do
nslookup <yourservicename>.cognitiveservices.azure.com 168.63.129.16

Also, if there are any peered VNets, you can use the VMs in these VNets as well

In your query,

Is 10.140.2.10 Private DNS Resolver Inbound EndPoint?

If not, then these results are not helpful to isolate the issue

Cheers,

Kapil
Anon4343 451 Reputation points

2023-06-14T18:24:31.7266667+00:00

The Private DNS zone, privatelink.cognitiveservices.azure.com, has a virtual network link to the VNet containing the Azure Form Recognition service Private Endpoint. Is there another virtual network link that needs to be created? This minimum configuration has worked for other on-prem computer dns lookups.
Anon4343 451 Reputation points

2023-06-14T19:06:55.6133333+00:00

I found it. The Private DNS Zone was not linked to the VNet containing the Private DNS Resolver's Inbound IP address. I thought that it was connected by a private endpoint, but it has its own service subnet. Private Endpoints are connected to their own VNet.

Sorry about that!

Accepted answer

KapilAnanth-MSFT 37,406 Reputation points Microsoft Employee

2023-06-15T04:45:06.9+00:00
@Anon4343

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that Azure DNS Private Resolver is not returning private endpoint IP Address for Forms Recognizer

I suggested that we deploy a dummyVM in the VNet as the Private DNS Resolver and use it to check the DNS response from Private resolver.

Also, from this VM, can you do
nslookup <yourservicename>.cognitiveservices.azure.com 168.63.129.16

Also, if there are any peered VNets, you can use the VMs in these VNets as well

The intention of this is to make sure Private DNS Resolver is actually resolving the Private DNS Zones IP.

After further troubleshooting,

It appears you have not linked to the VNet containing the Private DNS Resolver's Inbound IP address to the Private DNS Zone.

And you were able to resolve this issue

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure DNS Private Resolver is not returning private endpoint IP Address for Forms Recognizer

0 additional answers