Forum Discussion
Private Endpoint to Azure Blob Storage from On-Premise
Hi sc2317 ,
I was on holidays from 20th December, so I couldn't respond earlier.
ad 1) in a scenario, where your on-prem DNS zone is not AD-integrated DNS (hosted on domain controllers), then it is correct you need to setup a conditional forwarding rule on your DNS Forwarders in Azure for those zones, otherwise your Azure VMs and other resources won't be able to resolve those names. Of course, you also need to make sure that DNS traffic from the forwarders to your on-prem is not blocked by a firewall.
ad 2) again, if your on-prem DNS is AD-integrated, the simplest solution is to extend your on-prem AD to Azure, where you can setup one or several replica domain controllers on Azure VMs. Those DCs can become your DNS Forwarders, able to resolve on-prem zones as well as Azure Private DNS zones. If your on-prem DNS is not hosted on Windows Servers (let's say you use BIND), your DNS Forwarders on Azure could be anything. I've seen a minimalistic Linux distro configured with a DNS forwarding for that purpose. You might be able to use a standalone Windows Server with DNS server role as well (I haven't seen this scenario in practice).
ad 3) It is definitely a recommended practice to centralize this configuration and both provision all Private Link DNS zones in a Hub subscription as well as link those zones with Hub VNets. Since your Spoke VNets need to be configured with Custom DNS pointing to your DNS Forwarders in the Hub, any links between Spoke VNets and DNS zones will be ignored!
That's again perfect explanation. Your first and last point explains what I was looking for. Now, one last question how do I allow my on-premise resources to access storage account(No Public Access) over private endpoint. Do I only have to allow VNET (With VPN Gateway Connection to On-Premise) on storage account or do I need to allow public IP of my VPN device ?
Great question 🙂
So, the beauty of Private Endpoints is that they are enabled inside your VNets, meaning IP ranges you choose and control. If you build a cross-premises connectivity - either a S2S VPN or Express Route - those Azure VNet prefixes will be advertised to your on-prem network. If you configure name resolution correctly, it should work automatically:
- any DNS query to blob.core.windows.net domain (the one from your example, let's assume you configured forwarding for this domain in your on-prem DNS servers) would resolve to a private IP address that was assigned in Azure VNet to that private endpoint.
- your on-prem router / VPN gateway will route this traffic to Azure, where it should reach the correct VNet and IP (network card) and through Private Link it would get to the storage account.
- the response would follow the same path back
Private Endpoints allow you to build this connectivity to Azure PaaS services without a need to use public IP addresses for those services. You can't remove those public endpoints but you could configure IP filtering in the storage account configuration to block any traffic from the Internet, effectively disabling that public endpoint. Eventually, you could enable only some source IP prefixes.
You don't need to allow VNet(s) on storage account, since this configuration is related to Service Endpoints, which is a different capability (works only on Azure, not from on-prem).
- Perfect, many thanks 🙂