@Michael Mallok I apologize for the delay in responding to your post. Appreciate your response to my questions.
Please note that the the Storage account needs to have access from the Vnet if you want to be able to access it from your on-premises. This is because the private endpoint is assigned an IP address from the IP address range of the Vnet.
To answer your questions-
- This aforementioned assigned IP address is not part of the VNet (10.5.0.0/16) or any of its Subnets. Thus, there is no built-in way of accessing the Private Endpoints. Is there a way to bridge that gap without setting up a VM that acts as DNS Server?
Unfortunately, you only have two options but both need some configuration on your custom DNS server i.e., You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for StorageAccountA.privatelink.blob.core.windows.net with the private endpoint IP address.
Please refer to these articles for more information on configuring a private endpoint for Azure Storage:
- https://www.youtube.com/watch?v=V8PjtCTTT6c
- This article refers to configuring DNS when using private endpoints: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
- https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
- The requests coming from my local machine try to use the public IPs of the Storage Account instead of the private ones provided by the Private Links of the Private Endpoints. Can that be the case? And if so, is that something that has to be fixed on the local machine or in the routing inside of the Azure VNet?
This is because the DNS server that your local machines use does not have an A record for the privatelink DNS name of the storage account which should look something like:
StorageAccountA.privatelink.blob.core.windows.net A 10.1.1.5
At that point, the traffic will try to go to the Vnet(since the private endpoint IP will belong to the Vnet address range) via the VPN/Express Route and it will eventually be able to hit the Storage account privately. Right now, it is using the Public DNS which resolves to the Public IP.
Please fix the 2 issues which are, allowing the Vnet into the Storage Account as well as resolving the DNS to the private IP. Hope this helps.
Let us know if you have any further questions and we will be glad to assist you further. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.