Share via

Azure Files P2S to Private Endpoint DNS

Ryusuke Ito 0 Reputation points
2023-08-16T10:12:47.49+00:00

Regarding Azure Files with a Private Endpoint and P2S Connectivity from AD/AAD hybrid environment/workstations.

In order to make a mount or map a drive to an Azure Files share, over a private endpoint/Azure Gateway from a client computer:...

Is it necessary for there to be a DNS or DNS Resolver in the virtual the virtual network that the storage is connected to?

  1. Does this work with P2S connections from on-prem AD networks?
  2. or does it require S2S from on-prem to the vnet?
  3. What of connections from outside the premises?
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
752 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,713 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tech-Hyd-1989 5,816 Reputation points
    2023-08-16T10:39:09.8566667+00:00

    Hello Ryusuke Ito

    Yes, it is necessary for there to be a DNS or DNS resolver in the virtual network that the storage is connected to. This is because the client computer will need to resolve the DNS name of the Azure Files share to its private IP address.

    P2S connections from on-prem AD networks can be used to mount or map a drive to an Azure Files share over a private endpoint/Azure Gateway. However, S2S connections from on-prem to the vnet are required for connections from outside the premises.

    Here are the steps on how to mount or map a drive to an Azure Files share over a private endpoint/Azure Gateway from a client computer:

    1. Create a DNS server or DNS resolver in the virtual network that the storage is connected to.
    2. Create a private endpoint for the Azure Files share.
    3. Create an Azure Gateway if you need to connect from outside the premises.
    4. On the client computer, configure the DNS settings to point to the DNS server or DNS resolver in the virtual network.
    5. Mount or map the drive to the Azure Files share using the private IP address of the Azure Files share.

    Here are some additional things to keep in mind:

    • The client computer must be in the same virtual network as the Azure Files share or be connected to the virtual network through a P2S or S2S connection.
    • The client computer must have the Azure Files client installed.
    • The Azure Files share must be accessible from the client computer.

    I hope this helps! Let me know if you have any other questions.

  2. GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee
    2023-08-22T09:45:00.4233333+00:00

    Hello @Ryusuke Ito ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know some details about Azure Files with a Private Endpoint and P2S Connectivity from AD/AAD hybrid environment/workstations. Please find the answers below:

    Is it necessary for there to be a DNS or DNS Resolver in the virtual network that the storage is connected to?

    Yes, in order for connections to your storage account to go over your network tunnel, the fully qualified domain name (FQDN) of your storage account must resolve to your private endpoint's private IP address. To achieve this, you must forward the storage endpoint suffix (core.windows.net for public cloud regions) to the Azure private DNS service accessible from within your virtual network.

    You can follow the below guide doc for all the details related to configuring DNS forwarding for Azure Files:

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns

    Does this work with P2S connections from on-prem AD networks?

    Yes, it works with P2S connections from on-prem AD networks.

    Refer: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview#tunneling-traffic-over-a-virtual-private-network-or-expressroute

    Or does it require S2S from on-prem to the vnet?

    Not necessarily, you can use P2S VPN from any network as long as the local machine has the Azure VPN client and required authentication method (such as Certificates etc.) installed/available.

    But if you already have a S2S VPN or need to connect your on-premises to Azure for other purposes, then you can also for a S2S VPN connection. Refer: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-s2s-vpn

    What of connections from outside the premises?

    The same applies to connections from outside the premises. It can be a P2S VPN connection from any local machine and any network (on-prem or remote).

    Adding answers for the follow-up questions you asked in the previous answer:

    Is it not that S2S connection is required for on-prem connection to Files and P2S connection is required from outside the premises?

    Yes, it is generally true that S2S connection is required for on-premises and P2S connection is required for remote networks, but it completely depends on your existing infrastructure and requirement.

    P2S VPN is a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to an Azure VNet.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about

    https://learn.microsoft.com/en-us/azure/vpn-gateway/howto-point-to-site-multi-auth

    A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. So, as long as the individual client computer has the Azure VPN client and required authentication method (such as Certificates etc) installed/available, you should be able to use it from any network (on-premises or remote).

    But what of offsite clients? How does P2S VPN achieve resolution of the names? Does the native VPN client allow resolution via Azure DNS or does it also use DNS/DNS Resolver deployed on the Vnet?

    Yes, it also uses DNS forwarder deployed on the Vnet.

    In general, there are a few options to configure your DNS settings for private endpoints:

    • Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
    • Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
    • Use your DNS forwarder (optional). You can use your DNS forwarder to override the DNS resolution for a private link resource. Create a DNS forwarding rule to use a private DNS zone on your DNS server hosted in a virtual network.

    For on-premises workloads to resolve the FQDN of a private endpoint, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16. Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below, which applies to both on-premises and remote machines:

    enter image description here

    At the initial setup, when you are just starting with Azure Files with a Private Endpoint and P2S Connectivity, I would recommend testing with host file. This will give you an idea on how the DNS resolution with private endpoint works.

    And then you can go for a DNS forwarder setup.

    Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-P2S

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview#dns-configuration

    What is Azure Files client? I appear to have missed references to that somehow.

    I'm not sure what is referred as Azure Files client.

    But to configure networking, Azure Files provides an internet accessible public endpoint and integration with Azure networking features like service endpoints, which help restrict the public endpoint to specified virtual networks, and private endpoints, which give your storage account a private IP address from within a virtual network IP address space.

    Since TCP port 445 is blocked for you, you can use private endpoint over P2S VPN to mount and access your Azure Files.

    The steps would be as below:

    • Create a P2S VPN gateway and configure P2S VPN client on your machines:

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

    https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-windows

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows

    • Create a private endpoint for your Azure Files:

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints?tabs=azure-portal

    • Configure DNS forwarding:

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview#dns-configuration https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns

    • Mount Azure Files on the P2S client:

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows#mount-azure-file-share

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.