Hi Chris Roberson,
Welcome to Microsoft Q&A, thanks for posting your query.
Its seems like you are facing with DNS resolution when accessing Azure File Shares over a P2S VPN connection. Here are the few steps to check why the DNS Private Resolver stopped working as expected.
Firstly, I would like to confirm if you have followed the steps mentioned in the document "Configure a Point-to-Site (P2S) VPN on Linux or Windows for use with Azure Files" to configure the P2S VPN connection on your Linux machine. If not, I would recommend you to follow the steps mentioned in the document to configure the P2S VPN connection.
Once you have configured the P2S VPN connection, you can try to connect to your Azure Storage Account File share using the private endpoint. To do that, you need to make sure that your DNS resolution is set up correctly and is resolving the FQDN to the correct private IP address. You can use the "nslookup" command to test the resolver and verify that it is working correctly.
nslookup <your-storage-account-name>.file.core.windows.net
This command should return the private IP address of your storage account if the DNS resolution is set up correctly. If it returns the public IP address, then you need to check your DNS configuration.
If the DNS resolution is set up correctly, you can try to connect to your Azure Storage Account File share using the private IP address of your storage account. To do that, you need to mount the file share using the following command:
sudo mount -t cifs //<your-storage-account-name>.file.core.windows.net/<your-file-share-name> /mnt/<your-mount-point> -o vers=3.0,username=<your-storage-account-name>,password=<your-storage-account-key>,dir_mode=0777,file_mode=0777,sec=ntlmssp
Replace <your-storage-account-name>
with the name of your storage account, <your-file-share-name>
with the name of your file share, and <your-mount-point>
with the mount point on your Linux machine.
If you are still facing issues, please let me know and provide me with more information about the error message you are receiving.
You can also check DNS resolution and connectivity to your Azure file share. To mount or access a file share successfully, your client must be able to resolve the fully qualified domain name of the storage account to the correct IP address for the desired network endpoint of the storage account. Establish a successful TCP connection to the correctly resolved IP address on the correct port for the desired protocol.
References:
Additional information:
Connecting to an Azure Storage Account using Azure VPN without public IP access can be challenging. Here are some steps and considerations that might help you troubleshoot the issue:
- Azure VPN Client Setup: Ensure that you have the latest Azure VPN profile provisioning. If you’re encountering difficulties, you can manually import the VPN profile using the Azure VPN Client application. This might help establish a secure connection to the Azure network
- Private IP Address: To connect to resources like VMs or storage accounts, you need to know their private IP addresses. If you’re unable to ping the private endpoint, it could be due to insufficient network routes provided by the VPN. In such cases, a new peering setup might be required for the VPN gateway2
- Always On VPN Configuration: For a more persistent connection, consider configuring an Always On VPN user tunnel. This setup ensures that your VPN connection remains active and could help maintain a stable connection to your storage account3
DNS Resolution: If resolving Private Link gives you the public address, it might be a DNS issue. Ensure that your DNS settings are correctly configured to resolve to the private IP address of the private endpoint within the Azure network.
- Troubleshooting Connectivity: If you’re unable to reach the Azure storage account via port 445, it could be blocked by your organization or ISP. Using Azure P2S VPN, Azure S2S VPN, or Express Route can help tunnel SMB traffic over a different port4
- Private Endpoint Configuration: Using private endpoints for your storage account allows clients on a VNet to securely access data over a Private Link. The private endpoint uses an IP address from the VNet address space, eliminating exposure from the public internet. This setup is crucial for secure access from on-premises networks connected to the VNet via VPN or ExpressRoute
Remember to check the network security group (NSG) rules and the storage account’s firewall settings to ensure they’re not blocking the desired traffic. If the issue persists, I would like to work offline on this issue.
Similar Query:
https://learn.microsoft.com/en-us/answers/questions/1346628/azure-files-p2s-to-private-endpoint-dns
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.