Azure Private Link has been around for a year and a half now and I was quite excited for this feature when Microsoft announced it. It made my life a whole lot easier to comply with my security department and I’m happy to see more and more PaaS services are supported through Azure Private Link.
Azure Private Link connects your PaaS service such as SQL Server, Storage account or KeyVault to your subnet and gets a private IP for it. It uses a resource called private endpoint to accomplish this. In addition to this resource you will need to configure your DNS environment so your resources can resolve the private endpoint. I struggled a bit in the beginning to get the DNS working as it should, so I thought I would explain a bit how my setup got everything working nicely. In this case I assume a hybrid environment that consists of Domain Controllers/DNS servers on-premises and within Azure as seen in most enterprises nowadays.
Private Endpoint
When creating a resource like a storage account with the default settings, the endpoint will resolve to a public IP.
This could open up the storage account to be publicly available from the internet. A serious security threat. You could only allow specific virtual networks within Azure and work with service endpoints but for my case this was not enough. First you could not reach the resource from your on-premises network and secondly the traffic within Azure will travel through the Azure backbone. In most enterprise environments I’ve seen, the Hub&Spoke architecture is in place and the security department would like to route all traffic through some firewall appliance.
Storage account publicly available!
When a private endpoint has been configured for the resource above, you’ll get a result like this:
Azure adds another CNAME record to the dedicated FQDN of the private endpoint. Still the IP address is a public IP. To resolve the FQDN to the private IP of the private endpoint, we will need to configure the DNS.
Creating the Private Endpoint will also get you a extra NIC that get’s attached to the resource.
DNS
For resources accessing a private endpoint from a virtual network in Azure or from a on-premises network, we will need to use a DNS forwarder to resolve the Azure service public DNS zone deployed in Azure. In this case this would be a Domain Controller connected to our virtual network. This DNS forwarder is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS service 168.63.129.16.
Make sure these zones are not Active Directory integrated or else these will replicate to the on-premises Domain Controllers/DNS servers and we don’t want that. You will need to consult the Microsoft documentation for the correct naming of the zones:
Azure Private Endpoint DNS configuration | Microsoft Docs
Below are the DNS zones for the on-premises DNS servers. The conditional forwarder will point to the DNS servers that are located within Azure.
With this configuration the on-premises DNS servers will forward the queries to the DNS server within Azure and this server will forward it again to the Azure provided DNS-service 168.63.129.16
This service will check the Private DNS zones configured in the virtual network where the DNS server resides.
Azure Private DNS zones linked to the virtual network of the Domain Controller/DNS server.
Following this configuration we finally can reach the server over it’s private IP from the on-premises environment as well as within the Azure environment. By using a User-Defined Route table on the subnet where the private endpoint is connected, we can route all traffic through our firewalls.
Nice article Vincent. Very informative!
Amazing things here. I’m very happy to see your article.
Thank you so much and I’m taking a look ahead to contact you.
Will you kindly drop me a e-mail?
Fine way of explaining, and fastidious post to obtain information concerning my presentation subject matter, which i am going to convey in university.
Thank you a lot for sharing this with all folks you actually know what you are speaking about!
Bookmarked. Kindly additionally talk over with my site =).
We may have a hyperlink alternate contract between us
SclnLAVdqpQCJF
Hi are using WordPress for your site platform? I’m new to the blog world but
I’m trying to get started and set up my own. Do you require any coding expertise
to make your own blog? Any help would be really appreciated!
Bel article, je l’ai partagĂ© avec mes amis.
You could certainly see your skills in the article you write.
The arena hopes for more passionate writers such as you who aren’t afraid to say how
they believe. Always follow your heart.
JIyWzTtxVnde
HsuFnZbUkeqQAE
okifNAqSTBab
kmKtxqjwASE
oJNnSgYiWtZM
RBMYqSakPK
TSMFRhglaWEGnZV
PowcSUnWCgRiGp
yseLurZniaBRcPo
PgOoClIfmevy
ALHpNxWfEB
oKLtAuRQmqrvGyDl
HKhWEfIMQJFtG
sLwMQZeBGcaVjh