Forum Discussion
Private Endpoint to Azure Blob Storage from On-Premise
Hi sc2317 ,
I was on holidays from 20th December, so I couldn't respond earlier.
ad 1) in a scenario, where your on-prem DNS zone is not AD-integrated DNS (hosted on domain controllers), then it is correct you need to setup a conditional forwarding rule on your DNS Forwarders in Azure for those zones, otherwise your Azure VMs and other resources won't be able to resolve those names. Of course, you also need to make sure that DNS traffic from the forwarders to your on-prem is not blocked by a firewall.
ad 2) again, if your on-prem DNS is AD-integrated, the simplest solution is to extend your on-prem AD to Azure, where you can setup one or several replica domain controllers on Azure VMs. Those DCs can become your DNS Forwarders, able to resolve on-prem zones as well as Azure Private DNS zones. If your on-prem DNS is not hosted on Windows Servers (let's say you use BIND), your DNS Forwarders on Azure could be anything. I've seen a minimalistic Linux distro configured with a DNS forwarding for that purpose. You might be able to use a standalone Windows Server with DNS server role as well (I haven't seen this scenario in practice).
ad 3) It is definitely a recommended practice to centralize this configuration and both provision all Private Link DNS zones in a Hub subscription as well as link those zones with Hub VNets. Since your Spoke VNets need to be configured with Custom DNS pointing to your DNS Forwarders in the Hub, any links between Spoke VNets and DNS zones will be ignored!
Many thanks for your inputs, Once again, thanks for your time to explain this and making me understand this whole configuration in best possible way.
- Hi David,
While implementing the configuration, I came across one more setting that raises doubt.
Lets say, If I implement the solution with DNS (Not AD Integrated) forwarders in Azure VNET and private endpoint in same VNET linked to private dns zone "privatelink.blob.core.windows.net". I assume everything will work with respect to private endpoint. However, I am not sure about what should I do for following:
1) What DNS suffix should I use for DNS forwarders in Azure. Should I leave it to default ?
2) What DNS servers should I use on VNET ? Should I leave it to default or use on-premise DNS as application in on-premise will use this private endpoint.Hello,
If apart from enabling Private Endpoints you also want to enable cross-premises DNS resolution (being able to resolve Private DNS zones from on-prem / retrieve private endpoint IP addresses as well as resolving on-prem hosted DNS zones from Azure), this is what you should do:
- Your "Spoke VNets" (peered to the Hub, where you host VPN Gateway, DNS Forwarders and Private DNS zones) should be configured with 'Custom DNS' option (and not the 'Azure-provided' default) and point to those two DNS Forwarders VMs you host in the Hub. In this way, your Azure resources in Spokes can resolve both Azure Private zones and on-prem DNS zones.
- Your DNS forwarders should have a DNS "role", where you configure Conditional forwarding for your on-premises zones, pointing to your on-prem DNS servers, authoritative for those zones. You need to make sure that those Forwarders can reach your DNS servers (e.g., firwall restrictions, routing).
- In order to resolve Azure Private DNS zones from on-prem, your DNS servers needs to be configured with Conditional forwarding, where for 'blob.core.windows.net' zone queries you point to those DNS Forwarders in the Hub (using IP addresses). Obviously, when you want to leverage other Private Endpoints, e.g., Azure SQL Database, you will add respective zone to conditional forwarding and create a new private DNS zone in the Hub for that service.
- I don't think that the configuration of DNS suffixes on the Forwarders matters. You will be referring to them using IP addresses in the configuration.
Let me know, if you have more questions.
- Hi David,
That's again perfect explanation. Your first and last point explains what I was looking for. Now, one last question how do I allow my on-premise resources to access storage account(No Public Access) over private endpoint. Do I only have to allow VNET (With VPN Gateway Connection to On-Premise) on storage account or do I need to allow public IP of my VPN device ?