On-premise SHIR not connecting through S2S tunnel

Question

On-premise SHIR not connecting through S2S tunnel

Saïd El Kacimi | Analyze 0

Hello,

I have an issue with the SHIR not connecting through the Site to Site VPN tunnel, I have a private endpoint and a private DNS Zone for Synapse in Azure set up, I have added the DNS entry in the host file of the SHIR machine. The Machine can find the the endpoint with it's private ip when I use nslookup. The machine only connects to Synapse when I allow it to go through the public internet. Does anyone know what I am missing?

(This is my first post here so if I am not providing the necessary information or the right question I am sorry about that).

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-19T08:56:54.0133333+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Saïd El Kacimi | Analyze 0 Reputation points

2025-03-20T10:05:02.24+00:00

Our setup includes two private endpoints for Synapse with corresponding Private DNS Zones. The Studio endpoint has a private DNS zone privatelink.azuresynapse.net, a private endpoint named pe-synapse-studio, and an IP address of 10.203.1.4. The SQL endpoint has a private DNS zone privatelink.sql.azuresynapse.net, a private endpoint named pe-synapse-sql, and an IP address of 10.203.1.5.

Since our on-premises environment does not use a proxy or a DNS server, we manually added entries to the hosts file on the SHIR machine to resolve these private endpoints:

10.203.1.4 synapse-workspace-li.dev.azuresynapse.net

10.203.1.5 synapse-workspace-li.sql.azuresynapse.net

Despite this, SHIR still does not route traffic through the VPN tunnel. We ran multiple connection tests, but the issue persists. Screenshots of our tests:

I also wanted to clarify one point: Does the Self-Hosted Integration Runtime (SHIR) require outbound access to the public internet for authentication purposes? We have currently blocked all internet access to our SHIR host under the assumption that all traffic (including authentication) should flow solely through our site-to-site VPN tunnel. However, we’re seeing connectivity issues, which suggests SHIR may need to reach certain public endpoints.

Could you please confirm whether public internet access is mandatory for SHIR’s authentication and management traffic? If so, we would appreciate any details on which specific domains or IP ranges we should allow.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-20T13:24:44.56+00:00
Hello Saïd El Kacimi | Analyze

Does the Self-Hosted Integration Runtime (SHIR) require outbound access to the public internet for authentication purposes?

Yes, the Self-Hosted Integration Runtime (SHIR) needs outbound internet access for authentication, management, and updates. Blocking all internet access to your SHIR host may lead to connectivity issues.

The cloud also requires that you allow the IP address of the machine accessing the store. Ensure the IP address of the self-hosted integration runtime machine is permitted or configured in the firewall correctly.

The following cloud data stores require you to allow the IP address of the self-hosted integration runtime machine. Some of these data stores may not need an allow list by default.

Azure SQL Database

Azure Synapse Analytics

Azure Data Lake Store

Azure Cosmos DB

Kindly check the below link for more understanding:

https://learn.microsoft.com/en-us/azure/data-factory/data-movement-security-considerations#firewall-requirements-for-on-premisesprivate-network

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-21T07:24:50.4266667+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-24T08:49:53.31+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Saïd El Kacimi | Analyze 0 Reputation points

2025-03-25T08:13:01.0033333+00:00

Hello,

The problem is not solved with above information.

The machine can connect to Synapse, the problem is that it is not using the Site to Site tunnel when data is being transferred. All communication of the machine is going to the public internet, in which at least the data traffic should go through the tunnel.

I have shared with you the entries in the host file.

What should I be checking to find out what is causing this issue?
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-28T12:27:48.1966667+00:00

Hello Saïd El Kacimi | Analyze

Could you please check the VPN tunnel metrics to see if the traffic is passing through the S2S connection while transferring data from your source machine to the Synapse service?

In the meantime, please collect the packet captures and analize whether the traffic is passing through the private IP.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-31T10:29:24.9466667+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-31T23:56:39.39+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

1 answer

Your answer

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-19T08:56:54.0133333+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Saïd El Kacimi | Analyze 0 Reputation points

2025-03-20T10:05:02.24+00:00

Our setup includes two private endpoints for Synapse with corresponding Private DNS Zones. The Studio endpoint has a private DNS zone privatelink.azuresynapse.net, a private endpoint named pe-synapse-studio, and an IP address of 10.203.1.4. The SQL endpoint has a private DNS zone privatelink.sql.azuresynapse.net, a private endpoint named pe-synapse-sql, and an IP address of 10.203.1.5.

Since our on-premises environment does not use a proxy or a DNS server, we manually added entries to the hosts file on the SHIR machine to resolve these private endpoints:

10.203.1.4 synapse-workspace-li.dev.azuresynapse.net

10.203.1.5 synapse-workspace-li.sql.azuresynapse.net

Despite this, SHIR still does not route traffic through the VPN tunnel. We ran multiple connection tests, but the issue persists. Screenshots of our tests:

I also wanted to clarify one point: Does the Self-Hosted Integration Runtime (SHIR) require outbound access to the public internet for authentication purposes? We have currently blocked all internet access to our SHIR host under the assumption that all traffic (including authentication) should flow solely through our site-to-site VPN tunnel. However, we’re seeing connectivity issues, which suggests SHIR may need to reach certain public endpoints.

Could you please confirm whether public internet access is mandatory for SHIR’s authentication and management traffic? If so, we would appreciate any details on which specific domains or IP ranges we should allow.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-20T13:24:44.56+00:00

Hello Saïd El Kacimi | Analyze

Does the Self-Hosted Integration Runtime (SHIR) require outbound access to the public internet for authentication purposes?

Yes, the Self-Hosted Integration Runtime (SHIR) needs outbound internet access for authentication, management, and updates. Blocking all internet access to your SHIR host may lead to connectivity issues.

The cloud also requires that you allow the IP address of the machine accessing the store. Ensure the IP address of the self-hosted integration runtime machine is permitted or configured in the firewall correctly.

The following cloud data stores require you to allow the IP address of the self-hosted integration runtime machine. Some of these data stores may not need an allow list by default.

Azure SQL Database

Azure Synapse Analytics

Azure Data Lake Store

Azure Cosmos DB

Kindly check the below link for more understanding:

https://learn.microsoft.com/en-us/azure/data-factory/data-movement-security-considerations#firewall-requirements-for-on-premisesprivate-network

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-21T07:24:50.4266667+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-24T08:49:53.31+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Saïd El Kacimi | Analyze 0 Reputation points

2025-03-25T08:13:01.0033333+00:00

Hello,

The problem is not solved with above information.

The machine can connect to Synapse, the problem is that it is not using the Site to Site tunnel when data is being transferred. All communication of the machine is going to the public internet, in which at least the data traffic should go through the tunnel.

I have shared with you the entries in the host file.

What should I be checking to find out what is causing this issue?
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-28T12:27:48.1966667+00:00

Hello Saïd El Kacimi | Analyze

Could you please check the VPN tunnel metrics to see if the traffic is passing through the S2S connection while transferring data from your source machine to the Synapse service?

In the meantime, please collect the packet captures and analize whether the traffic is passing through the private IP.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-31T10:29:24.9466667+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-31T23:56:39.39+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.

Answer 1

Hello Saïd El Kacimi | Analyze

Greetings!

I understand that you are facing a resolution issue, while are you enabling the public connectivity it is working as expected.

For further investigation, please provide the following information:

Could you share a screenshot of the Nslookup from your source machine?

Also, let me know which DNS you are using in the private endpoint VNET - Azure provided or custom DNS.

If you are using custom DNS, you need to set a forwarder in the custom DNS server machine point to azure DNS IP (168.63.129.16.). And also, please confirm whether the custom DNS and private endpoint are in the same VNET or different VNETs, and check in the private DNS zone VNET's are linked properly.
If you are connecting from on-premises, you need to configure a conditional forwarder in the on-prem DNS server machine to point to the private DNS resolver. Additionally, you need to configure the private DNS resolver inside Azure.

kindly check the below document for more understanding:

https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-03-19T18:29:50.1733333+00:00

Hello Saïd El Kacimi | Analyze

Greetings!

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back. I have converted my comment into an answer please accept it as it will be helpful for other community members.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

On-premise SHIR not connecting through S2S tunnel

1 answer

Your answer