Today’s blog will discuss using Azure private endpoints with DNS for name resolution. This article provides a detailed guide on how to resolve the private IP address of the private endpoint and how to configure and use your DNS settings. Please visit my earlier blog post to learn more about Azure Private endpoints and their benefits.
Context:
The private endpoint uses a private IP address from your virtual network, effectively integrating the service into your virtual network. The service can be an Azure PaaS service such as Azure Storage, Azure Cosmos DB, SQL, etc. The private endpoint services’ fully qualified domain name (FQDN) resolves automatically to a public IP address. To resolve the private IP address of the private endpoint, you need to change your DNS configuration.
There are a few different methods available for DNS configurations:
- The workload resolves the Private endpoint using Azure Private DNS virtual link.
- The workload resolves the Private endpoint using Azure Private Resolver.
Let’s dive deep into each method to understand the patterns and best practise.
The workload resolves the Private endpoint using Azure Private DNS virtual link.
This configuration is suitable for virtual network workloads that do not require a custom DNS server. In this scenario, the client queries the private endpoint IP address to the Azure-provided DNS service 168.63.129.16. Azure DNS is responsible for resolving the private DNS zones.
This configuration can also be used with peered virtual networks, which require establishing a private DNS virtual link connection.
I have set up the following resources in my Azure Subscription to use in the demo for easier understanding. I have a client virtual machine and storage accounts within the subscription. The virtual machine is created in a Virtual Network, and a storage account is set up with a private endpoint on the same VNET. The private endpoint has created a private DNS zone linked to the same virtual network.
The diagram below illustrates the DNS sequence tasks from the client’s virtual machine to the private endpoint using Private DNS in a single Virtual network.
The screenshot below shows the client’s VM IP address and DNS resolution for the Azure storage account with the private endpoint.
Key things to note:
- This configuration requires a single private DNS zone.
- If you’re using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.
- This configuration would not resolve the workloads from the on-premise network, which is extended with the Azure Express route.
The diagram below illustrates the DNS sequence tasks from the client’s virtual machine to the private endpoint using Private DNS in a Peered Virtual network.
The workload resolves the Private endpoint using Azure Private Resolver.
This setup is perfect for an organization that utilizes on-premises workloads and DNS settings. Azure DNS private resolver connects on-premises DNS namespaces with private DNS zones hosted on Azure DNS, eliminating the need to deploy custom DNS servers based on virtual machines. It allows you to resolve DNS queries from on-premises networks and perform conditional forwarding to on-premises DNS zones.
When accessing workloads from virtual and on-premises networks via a private endpoint, use Azure Private Resolver to resolve the Azure private endpoint service. Here’s a scenario involving on-premises and virtual Azure networks, both accessing the private endpoint in a shared hub network. The private resolver is responsible for resolving all DNS queries using the Azure-provided DNS service at IP address 168.63.129.16.
The diagram below illustrates the DNS sequence tasks from the client’s virtual machine on-premise to the private endpoint using a Private DNS resolver in an Azure HubVirtual network.
The DNS resolution process starts when the on-premises servers request a private endpoint connection, which is then forwarded to the on-premises DNS servers. The on-premises DNS servers have a conditional forwarder for blob.core.windows.net to Aure private DNS resolver (10.0.0.8) hosted in the hub VNET. The private resolver sends a DNS query to the Azure-provided DNS, which responds with the private IP address of the private endpoint.
Key things to note:
- The on-premises DNS servers have conditional forwarders configured for each private endpoint public DNS zone, pointing to the Private DNS Resolver hosted in the hub VNet.
- The hub VNet must be linked to Azure services’ Private DNS zone names.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
