Forum Discussion
-- Microsoft Azure Storage Explorer || Private Endpoints on ADLS Gen2 --
I have provided access to my ADLS Gen2 through ACL.
My users have at least the ACL r-x on the filesystem and on the subsfolders or files when need access to.
From Home Office (through VPN) and using the client (MASE) "Microsoft Azure Storage Explorer"
- When the Public Ip of the users is whitelisted the client MASE (Microsoft Azure Storage Explorer) can access the ADLS Storage Account.
- When using Private Endpoints (tried 'dfs' and 'blob') I got the following error :
I just understood and solved my issue, was all about DNS resolution, adding below some explanation.
The need:
End users need to connect to PaaS services from home through VPN or from On-Premises private networks through their https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#dns-configuration IPs.
Overview of the solution:
Forward DNS request to a DNS VM proxy located on Azure.
The DNS VM proxy is in a vnet that has a link with your Azure private DNS zones hosting the https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview#dns-configuration.
Detail of the solution:
- Create the Azure https://docs.microsoft.com/en-us/azure/dns/private-dns-overview “privatelink.blob.core.windows.net” with the DNS A record “mystoragename.privatelink.blob.core.windows.net” that returns the IP of my Storage Account private endpoint’s IP.
- Use a VM DNS proxy, this VM’s vNet is linked to the upper mentioned Azure private dns zone. This DNS VM forwards DNS request to Azure DNS IP https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16.
- Here, a solution could be to use https://azure.microsoft.com/en-us/services/active-directory-ds/ as the DNS proxy, it’s natively configured to forward dns request to 168.63.129.16.
- Use a DNS conditional forwarder on the On-Premises DNS servers to forward dns requests for the DNS zone “mystoragename.blob.core.windows.net” to the DNS proxy on Azure (in my context, to the 2 private Ips of my Azure AD DS service).
Feature request:
A feature request has been published https://feedback.azure.com/forums/34192--general-feedback/suggestions/39697135-simplify-private-endpoint-dns-resolution-from-on-p to simplify Private Endpoint DNS resolution from On-Premises.
15 Replies
- As a last chance I have created a private endpoint for each Id Group of Storage Account resources : dfs, web, blob, table, queue and file but the result is the same, the Authentication step goes through Internet and ask for the user to have the list containers or list account keys privilege. In my ADLS ACL context I just can't just give those privileges.
RoyWilsMicrosoft
Jamesdld I checked on this and while it appears that Storage Explorer through the Azure portal works as expected with private endpoints, the client tool didn't. I suspect that Azure Storage Explorer uses legacy Blob APIs to enumerate / list contents of storage accounts. I was able to get Storage Explorer client working (from a machine within the VNET) by creating a private endpoint and private DNS zone for Blob access.
Hi Roy
I confirm that connecting to blob Storage Accounts works fine.
My issue is connecting to a Storage Account that is enabled for ADLS Gen 2, the target Subresources are blob and dfs.
Can you confirm the issue? It occurs with Private Endpoints when you try to connect with a user that has ACL read and execute ACL.
Thank you,
James