Azure P2S VPN (Standard SKU) - Private Endpoints

Question

Azure P2S VPN (Standard SKU) - Private Endpoints

ArnoudRaeven 16

I have setup an Azure Point to Site (P2S) VPN via OpenSSL and Azure AD Authentication on a Generation 1 Standard SKU.
Connection via the Azure VPN Client works and I receive an IP from the VPN pool.
Also I can see that in the routing table the IP-range of my Virtual Network is listed.

Vnet: 192.168.200.0/24
Subnet: 192.168.200.0/25
GW Subnet: 192.168.200.128/28
VPN: 172.16.200.0/24

I have 2 private endpoints defined.
1 for SQL
1 for Azure File Share

Both are listed in the Private Endpoint section of the VNET
I also see DNS records in privatelink.file.core.windows.net (FileShare) and privatelink.database.windows.net (SQL).
So that looks good.

However, no connectivity is possible via:

4 answers

Your answer

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

Hi @ArnoudRaeven
You will need a DNS server that forwards this request to private DNS.
You can use a solution with a dDNS server or use the DNS Private Resolver feature

Reference: https://learn.microsoft.com/pt-br/azure/architecture/hybrid/hybrid-dns-infra

Reference: https://azure.microsoft.com/pt-br/resources/templates/dns-forwarder/

Get in touch if you need more help with this issue.

--please don't forget to "[Accept the answer]" if the reply is helpful--

Answer 2

ArnoudRaeven 16

@Jackson Martins thanks! New feature for me. Good!
Is there a set-by-step instruction available somewhere?

I have trouble to determine the in and outbound endpoints.
In theory only P2S VPN clients will connect, from various locations. So no fixed on prem IP range(s).

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-08-29T12:46:34.457+00:00

@ArnoudRaeven
The feature is still in public preview, it works in a more practical way than provisioning a vm from scratch.
Below is the tutorial:
https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-get-started-portal

--please don't forget to "[Accept the answer]" if the reply is helpful--
ArnoudRaeven 16 Reputation points

2022-08-29T12:51:05.067+00:00

Thanks, I will read through it and see if I can get it working.
Once done I will come back to you.

Answer 3

Hi @Jackson Martins ,

I've created the DNS Private Resolver succesfully.
However no change in DNS Name Resolution via Azure VPN Client.
$targetDNS1 = IP of Inbound Endpoint

I've also tested by putting the private endpoint IP's in a hostfile, ping doesn't work, but does use the private IP (as expected).
When I attempt to connect to <name>.privatelink.database.net via SQLSMS, the following error is returned:
"A connection was succesfully established with the server, but then an error occured during the login process. Targert Princple Name is incorrect."
Fixed that by selecting "Thrust Server Certificate" and subsequently the connection was made succesfully.

For <name>.privatelink.file.core.windows.net it also works when I use the hostfile.

When I remove the hostfile entry for both, it still doesn't work.
Any thoughts to what I might be overlooking?

Script I used is below:
Install-Module Az.DnsResolver
Get-InstalledModule -Name Az.DnsResolver

New-AzDnsResolver -Name CLIENT-dns-private-resolver -ResourceGroupName RESOURCEGROUP -Location westeurope -VirtualNetworkId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Network/virtualNetworks/CLIENT.virtualnetwork"  
$dnsResolver = Get-AzDnsResolver -Name CLIENT-dns-private-resolver -ResourceGroupName RESOURCEGROUP  
$dnsResolver.ToJsonString()  
  
$ipconfig = New-AzDnsResolverIPConfigurationObject -PrivateIPAllocationMethod Dynamic -SubnetId /subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Network/virtualNetworks/CLIENT.virtualnetwork/subnets/CLIENT.inbound.subnet  
New-AzDnsResolverInboundEndpoint -DnsResolverName CLIENT-dns-private-resolver -Name DNS-Priv-Resolver-Inbound-Endpoint -ResourceGroupName RESOURCEGROUP -Location westeurope -IpConfiguration $ipconfig  
$inboundEndpoint = Get-AzDnsResolverInboundEndpoint -Name DNS-Priv-Resolver-Inbound-Endpoint -DnsResolverName CLIENT-dns-private-resolver -ResourceGroupName RESOURCEGROUP  
$inboundEndpoint.ToJsonString()  
  
New-AzDnsResolverOutboundEndpoint -DnsResolverName CLIENT-dns-private-resolver -Name DNS-Priv-Resolver-Outbound-Endpoint -ResourceGroupName RESOURCEGROUP -Location westeurope -SubnetId /subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Network/virtualNetworks/CLIENT.virtualnetwork/subnets/CLIENT.outbound.subnet  
$outboundEndpoint = Get-AzDnsResolverOutboundEndpoint -Name DNS-Priv-Resolver-Outbound-Endpoint -DnsResolverName CLIENT-dns-private-resolver -ResourceGroupName RESOURCEGROUP  
$outboundEndpoint.ToJsonString()  
  
New-AzDnsForwardingRuleset -Name DNSForwardingRuleSet -ResourceGroupName RESOURCEGROUP -DnsResolverOutboundEndpoint $outboundendpoint -Location westeurope  
$dnsForwardingRuleset = Get-AzDnsForwardingRuleset -Name DNSForwardingRuleSet -ResourceGroupName RESOURCEGROUP  
$dnsForwardingRuleset.ToJsonString()  
  
$vnet = Get-AzVirtualNetwork -Name CLIENT.virtualnetwork -ResourceGroupName RESOURCEGROUP   
$vnetlink = New-AzDnsForwardingRulesetVirtualNetworkLink -DnsForwardingRulesetName $dnsForwardingRuleset.Name -ResourceGroupName RESOURCEGROUP -VirtualNetworkLinkName "vnetlink" -VirtualNetworkId $vnet.Id -SubscriptionId SUBSCRIPTIONID  
$virtualNetworkLink = Get-AzDnsForwardingRulesetVirtualNetworkLink -DnsForwardingRulesetName $dnsForwardingRuleset.Name -ResourceGroupName RESOURCEGROUP   
$virtualNetworkLink.ToJsonString()  
  
$vnet2 = New-AzVirtualNetwork -Name CLIENT.dns.virtualnetwork -ResourceGroupName RESOURCEGROUP -Location westeurope -AddressPrefix "10.1.1.0/24"  
$vnetlink2 = New-AzDnsForwardingRulesetVirtualNetworkLink -DnsForwardingRulesetName $dnsForwardingRuleset.Name -ResourceGroupName RESOURCEGROUP -VirtualNetworkLinkName "vnetlink2" -VirtualNetworkId $vnet2.Id -SubscriptionId SUBSCRIPTIONID  
$virtualNetworkLink2 = Get-AzDnsForwardingRulesetVirtualNetworkLink -DnsForwardingRulesetName $dnsForwardingRuleset.Name -ResourceGroupName RESOURCEGROUP  
$virtualNetworkLink2.ToJsonString()  
  
$targetDNS1 = New-AzDnsResolverTargetDnsServerObject -IPAddress 192.168.210.4 -Port 53  
$forwardingrule = New-AzDnsForwardingRulesetForwardingRule -ResourceGroupName RESOURCEGROUP -DnsForwardingRulesetName DNSForwardingRuleSet -Name "AzurePrivate" -DomainName "." -ForwardingRuleState "Enabled" -TargetDnsServer $targetDNS1

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-08-30T14:43:00.527+00:00

|Hi @ArnoudRaeven
Try to modify xml file from client VPN and add DNS suffix and dnsserver (private resolver)

<clientconfig>
<dnsservers>
<dnsserver>x.x.x.x</dnsserver>
</dnsservers>
<dnssuffixes>
<dnssuffix>.core.windows.net</dnssuffix>
</dnssuffixes>
GerryNicol 1 Reputation point

2022-08-31T16:24:34.523+00:00

Try using the Public DNS zone forwarders as per this guide.

so <name>.database.windows.net

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
ArnoudRaeven 16 Reputation points

2022-09-01T11:30:15.747+00:00

Thanks, but I don't have an on-prem DNS solution in place.
Only a few Azure-AD joined PC's that obtain DHCP (and DNS) from an ISP gateway.
No desire to implement a DNS server for just 5 workstations, that's the whole benefit of Azure-AD + Azure VPN P2S.
ArnoudRaeven 16 Reputation points

2022-09-01T11:31:11.26+00:00

Thanks @Jackson Martins I will give this a try, as soon as my VPN Gateway is functioning again.
It broke and re-creating it fails up till now: https://learn.microsoft.com/en-us/answers/questions/990422/azure-vpn-gateway-ps2-configuration-in-failed-stat.html since 2 days.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-09-01T11:52:28.493+00:00

@ArnoudRaeven
I just read the thread and it seems that there is no solution that is within your reach to resolve, there is an issue where it was only resolved with Microsoft support, I recommend opening a ticket as soon as possible

https://learn.microsoft.com/en-us/answers/questions/210809/internal-error-when-creating-a-vpn-gateway.html
ArnoudRaeven 16 Reputation points

2022-09-01T11:56:38.443+00:00

Unfortunately I cannot open a ticket, as there is no support contract (yet) on this subscription.
Feels weird that I need to pay to get something working that is failing without any fault of my own or fixable by myself?
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-09-01T14:25:00.513+00:00

@ArnoudRaeven

Have you checked to see if there are any linked NSGs in the VNET that might be preventing the client from connecting? try to remove all NSG from VNETs and subnets

Is there some custom route?

If you deploy to a different VNET for testing does it work? a workaround would be to separate the VNET and make a peering between the vnets for the communication to happen
Ryusuke Ito 0 Reputation points

2023-08-16T10:15:27.6766667+00:00

Was there a resolution to this issue?

Answer 4

Bas Pruijn 956

You can try the following to fix your set-up:

do a nslookup for your SQL Servers FQDN like this:

nslookup myserver.database.windows.net 192.168.210.4

assuming this will provide you with the private IP addres, you need to change theP2S profile XML file you use in the Azure VPN client tool to use this VPN by replacing the <clientconfig/> tag with:

	<clientconfig>
		<dnsservers>
			<dnsserver>192.168.210.4</dnsserver>
		</dnsservers>
	</clientconfig>

Share via

Azure P2S VPN (Standard SKU) - Private Endpoints

4 answers

Your answer