cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS get private ip from private endpoint

Stefan Kießig
Iron Contributor

‎Mar 27 2021 09:00 AM

‎Mar 27 2021 09:00 AM

DNS get private ip from private endpoint

Hello,

I have 2 pairing connected VLans. One 10.0.0.0/24 and one 10.0.1.0/24.

Azure AD Domain Service is located in VLan 10.0.0.0/24 and is the DNS service for both VLans.
In VLan 10.0.1.0/24, there is a Private Link End Point of a storage account zzz. .file.core.windows.net (10.0.1.5). When I call the storage account I always get the public IP of the storage account.
How can I resolve the internal IP of the storage account via both VLans?

 

Thanks for your supoort

Stefan

2,225 Views
0 Likes
1 Reply
Reply
1 Reply
Parisa_Moosavinezhad

‎May 17 2021 04:54 AM

‎May 17 2021 04:54 AM

Re: DNS get private ip from private endpoint

Hi Stefan,

 

When you are using the Private Endpoint for your Storage Account, you would have a Private DNS Zone (if you want). It's name is like "privatelink.<resource-type>.core.windows.net". If you go the Private DNS Zone resource, you can add the both VNets to this Private DNS Zone. 

 

Parisa_Moosavinezhad_0-1621251882464.png

 

As I had a same scenario in one of my projects, I can share the Terraform code, I developed.

resource "azurerm_resource_group" "example" {
  name     = "${var.projectname}-resources"
  location = "West Europe"
}

# -----------------------------------
# VNET 1
# -----------------------------------
resource "azurerm_virtual_network" "example" {
  name                = "${var.projectname}-vnet1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.3.0.0/16"]
  dns_servers         = ["168.63.129.16"]

}

resource "azurerm_subnet" "exampledefault" {
  name                 = "${var.projectname}-default"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.3.1.0/24"]

}

resource "azurerm_subnet" "exampleprivate" {
  name                 = "${var.projectname}-private"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.3.2.0/24"]
  enforce_private_link_endpoint_network_policies = true

}

# -----------------------------------
# VNET 2
# -----------------------------------
resource "azurerm_virtual_network" "example2" {
  name                = "${var.projectname}-vnet2"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  address_space       = ["10.4.0.0/16"]
  dns_servers         = ["168.63.129.16"]

}

resource "azurerm_subnet" "exampledefault2" {
  name                 = "${var.projectname}-default"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example2.name
  address_prefixes     = ["10.4.1.0/24"]

}


# -----------------------------------
# Storage
# -----------------------------------
resource "azurerm_storage_account" "example" {
  name                     ="${var.projectname}stg"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

}


resource "azurerm_storage_account_network_rules" "network_rule_publisher" {
  depends_on = [
    azurerm_private_endpoint.example
  ]

  resource_group_name  = azurerm_resource_group.example.name
  storage_account_name = azurerm_storage_account.example.name

  default_action             = "Deny"
  ip_rules                   = ["127.0.0.1"]
  bypass                     = []
}


// Azure services DNS zone
// https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration
resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.example.name
}



resource "azurerm_private_endpoint" "example" {
  name                = "${var.projectname}-privateendpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.exampleprivate.id

  private_service_connection {
    name                           = "${var.projectname}-stg-pe-connection"
    is_manual_connection           = false
    private_connection_resource_id = azurerm_storage_account.example.id
    subresource_names              = ["blob"]
  }

  private_dns_zone_group {
    name                 = azurerm_private_dns_zone.example.name
    private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
  }

}


# connect the Private Zone to the VNet
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "${var.projectname}-vnet2dns-1"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example.id
}

resource "azurerm_private_dns_zone_virtual_network_link" "example2" {
  name                  = "${var.projectname}-vnet2dns-2"
  resource_group_name   = azurerm_resource_group.example.name
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.example2.id
}


# -----------------------------------
# VM in Vnet1
# -----------------------------------
resource "azurerm_network_interface" "example" {
  name                = "${var.projectname}-nic-1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.exampleprivate.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_windows_virtual_machine" "example" {
  name                = "${var.projectname}-vm-1"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  admin_password      = "P@$$w0rd1234!"
  network_interface_ids = [
    azurerm_network_interface.example.id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }
}


# -----------------------------------
# VM in Vnet2
# -----------------------------------
resource "azurerm_network_interface" "example2" {
  name                = "${var.projectname}-nic-2"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.exampledefault2.id
    private_ip_address_allocation = "Dynamic"
  }
}

resource "azurerm_windows_virtual_machine" "example2" {
  name                = "${var.projectname}-vm-2"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  admin_password      = "P@$$w0rd1234!"
  network_interface_ids = [
    azurerm_network_interface.example2.id,
  ]

  os_disk {
    caching              = "ReadWrite"
    storage_account_type = "Standard_LRS"
  }

  source_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }
}



// output "myoutput" {
//   value = azurerm_private_endpoint.example.private_service_connection[0].private_ip_address
// }

// output "dns_id" {
//   value = azurerm_private_dns_zone.example.id
// }

// output "dns_name" {
//   value = azurerm_private_dns_zone.example.name
// }

 

If you don't want the Storage Account be accessible from Internet/ Public Endpoint, you should configure the Storage Account Networking as follows. The code above does the same configuration for the Storage Account.

 

Parisa_Moosavinezhad_1-1621252299951.png

 

 

Regard

Parisa

0 Likes
Reply