non vpn users not able to access the azure file share using the private dns name.

Question

We have couple of azure file share which is accessible by vpn users by name . they access using the private endpoints . we have created the two DC in Azure where we have created the conditional forwarders which forward the traffic to DNZ zone (private ) which resolves the name for Azure file shares

now there is no issue for vpn users and customer has recently asked us to if it was possible for on-prem users to access the Azure files without the Azure VPN client. We blocked the external access to Azure Files so we need to use the Private Endpoint in Azure by name not IP since it is encrypted.

so how we can perform/ test the on-prem Conditional FWDer to Azure based DCs, which will then Conditonal FWD to Azure DNS. or how we can resolve this issue and on prem users can access file share without vpn?

some notes from my colleague

The file share URI will not be able to be resolved from on-prem DNS servers since it is an Azure DNS zone.  You can only FWD to Azure DNS from within Azure (so the Azure DCs can with no issues)

The Azure DCs already have a conditional FWDer setup to the Azure DNS which is scoped to only the 2 Azure DCs, because it will not work on the on-prem DCs so it shouldn't replicate to them.

That is what the Partition is for

We need to test something similar the other way for non-azure vpn users to see if we can put a conditional FWDer on the on-prem DCs (Limited to only them and NOT the Azure DCs) that will FWD to the Azure DCs, which can then resolve the Azure DNS records

I am not replicating in lab, I thought that's what we were asking your team to do? We are not sure this will work, and we are NOT testing it on production servers

 We DO NOT need to test the DNS partition part that is normal, we need to test the on-prem Conditional FWDer to Azure based DCs, which will then Conditonal FWD to Azure DNS

 

You would need to setup the partition since the conditional FWD would be the same name but FWD to different targets if you were on-prem or in Azure

 ________---------------------------------------------------------------------------------------------

so how can setup the configuration so even for non vpn users can access the fiels share hosted on azure through private end points / and private links

Answer 1

Hello @N Wakchaure, Jagdish

Your issue is quite common

Indeed , Azure DNS zones, which resolve private endpoint names for Azure file shares, are not directly accessible from on-premises networks. The existing conditional forwarders on your Azure DCs work within Azure but won't help on-premises users.

• Create a DNS forwarding zone on your on-premises DNS servers. This zone will be responsible for handling requests for the Azure private DNS zone names (e.g., privatelink.file.core.windows.net).
• Configure this forwarding zone to forward queries to your Azure-based DNS servers (the two DCs you mentioned).

1. Conditional Forwarder (On-Premises):
   • On your on-premises DNS servers, create a conditional forwarder that matches the DNS names in your Azure private DNS zone.
   • Point this conditional forwarder to the IP addresses of your Azure-based DNS servers.
   • Ensure that this conditional forwarder is scoped to apply only to your on-premises DNS servers.
2. Firewall Rules (Azure):
   • In your Azure network security groups (NSGs), allow inbound DNS traffic (UDP port 53) from your on-premises DNS servers to your Azure-based DNS servers. This ensures that the forwarding queries are not blocked.

Try this setup and come back with the results !

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 2

Hello N Wakchaure, Jagdish,

Greetings! Welcome to Microsoft Q&A Platform.

 

YES, it is possible for on-prem users to access the Azure files without the Azure VPN client. By using Azure Private Endpoints and configuring appropriate DNS forwarding. https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable#run-join-azstorageaccountforauth.

1.To do this Set Up Azure Private Endpoints then Configure Azure DNS for Private Endpoints next Configure On-Premises DNS to Forward to Azure DNS.

 

2.Next you have blocked external access to Azure Files and need to use Private Endpoints with DNS names instead of IP addresses, "YES" This involves setting up private DNS zones to resolve the private endpoint names within your network. It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string. Existing Microsoft Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.

 

To configure your DNS settings for private endpoints: You can use the host file on a virtual machine to override the DNS. Use a private DNS zone, https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone.

 

Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints. Connection URLs for your existing applications don't change. Client DNS requests to a public DNS server resolve to your private endpoints. The process doesn't affect your existing applications. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns.

 

3.Next, we should test the on-prem Conditional forward to Azure based DCs, which will then Conditional FWD to Azure DNS, "YES" can achieve from on-premises DNS servers forward to Azure-based domain controller (DC), First Set Up Private Endpoints and DNS Zones in Azure, then Configure Conditional Forwarding on Azure-based DCs, next Configure Conditional Forwarding on On-Premises DCs. The domain name of the Azure private DNS zone from Conditional Forwarder to Azure-based DC will be like "privatelink.file.core.windows.net".

 

4.Lastly How we can resolve this issue and on prem users can access file share without vpn? "YES" By using Azure Private Link and appropriate DNS configurations to do this Follow the below steps Firstly Set Up Private Endpoints and DNS Zones in Azure, Create Private Endpoints for Azure File Shares. Create a Private DNS Zone in Azure Set Up DNS Records for the Private Endpoint. Next Configure Conditional Forwarding from On-Premises to Azure DNS, Set Up Azure VMs as DNS Forwarders. Open DNS Management Console on On-Premises DC. Create a Conditional Forwarder on On-Premises DC. Next check the Network Security and Connectivity and also verify the NSG's and Firewall rules.

reference: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns 

https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#5-architecture-design-example

 

Similar post: https://learn.microsoft.com/en-us/answers/questions/883493/azure-private-dns-conditional-forwarders-from-on-p

  

 

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further.

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.