Private Endpoint DNS Zone

Adil Pasha 0 Reputation points
2023-10-26T16:02:16.1533333+00:00

We create Private Endpoint and DNZ zones for 3 subnets in a VNet. Each subnet has a private endpoint + DNS zone to resolve the Key Vault URI. We see that the Key Vault URI is being resolved with 3 IP addresses, one from each subnet. But when I do 'nslookup' from each subnet it resolves to 3 IP address. If I do PING from each subnet it shows the same IP address for the Key Vault URL.

The question is how does a VM in a subnet is connecting to the Key Vault using the URL when the IP address is from other subnet?

Best regards.

Adil.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,230 questions
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 4,780 Reputation points
    2023-10-26T19:47:44.8666667+00:00

    Hello @Adil Pasha ,

    If i understood correctly.

    When a VM in a subnet tries to connect to the Key Vault using the URL, it will first try to resolve the URL to an IP address using the DNS server in its subnet. If the DNS server has a record for the Key Vault URI, it will return the private IP address of the Key Vault's private endpoint in that subnet. If the DNS server does not have a record for the Key Vault URI, it will forward the query to the next DNS server in the hierarchy, until it is eventually resolved to the public IP address of the Key Vault.

    In your case, each subnet has its own private DNS zone with a record for the Key Vault URI. This means that each subnet will resolve the Key Vault URI to its own private IP address. However, when you do a nslookup from each subnet, it resolves to 3 IP addresses. This is because the nslookup command is querying all of the DNS servers in the hierarchy, not just the DNS server in the current subnet.

    When you do a ping from each subnet, it shows the same IP address for the Key Vault URL. This is because the ICMP protocol is used for pinging, and ICMP packets are not routed through private endpoints. Instead, ICMP packets are routed through the public IP address of the Key Vault.

    So, how does a VM in a subnet connect to the Key Vault using the URL when the IP address is from another subnet? The answer is that the VM will use the private IP address of the Key Vault's private endpoint in its subnet. The VM will resolve the Key Vault URI to the private IP address using the DNS server in its subnet.

    Here is an example of how this would work:

    1. A VM in subnet A tries to connect to the Key Vault using the URL https://my-keyvault.vault.azure.net.
    2. The VM resolves the URL to the private IP address of the Key Vault's private endpoint in subnet A using the DNS server in subnet A.
    3. The VM establishes a TCP connection to the private IP address of the Key Vault's private endpoint in subnet A.
    4. The Key Vault authenticates the VM and authorizes it to access the requested resources.
    5. The VM accesses the requested resources from the Key Vault.

    This process is transparent to the VM. The VM does not need to know that the Key Vault is in a different subnet.

    It is important to note that private endpoints are only supported for Key Vault data plane operations. Key Vault control plane operations (such as creating, deleting, and modifying keys and secrets) are not supported through private endpoints.

    3 people found this answer helpful.