Unable to use Azure Private Endpoints with On-Prem DNS server!!

So, I have come across a use case where I want to use a Private endpoint for Azure Database Service like SQL and would need to connect to DB from an on-prem VM which is pointing to my on-prem DNS server.

* You already have connectivity to on-prem from Azure networK VIA Express route or VPN

Problem Statement

Once you use a custom DNS server and try to use Private Endpoints for Azure services like (SQL DB, PostgresDB, ACR, Blob, etc.). You will not be able to connect to the required service with private IP as your custom DNS won’t be able to resolve the endpoint DNS name to it’s associated private IP address hence failing the whole purpose of using private endpoints.

Solution

You need to set up your infrastructure to make this happen. Below are the steps:

  1. Create a DNS forwarder VM in Azure and configure it to forward all queries to the Azure default DNS server.
  2. Setup conditional forwarding under your on-prem DNS server to forward specific domain queries to the forwarder servers created under step 1.
    •  Conditional Forwarding should be made to the public DNS zone forwarder. E.g. database.windows.net instead of privatelink.database.windows.net
  3. Create Private DNS Zone for endpoint domain name in the same VNet and create an A record with Private endpoint information (FQDN record name and private IP address)
    • The Private DNS zone is the resource with which the Azure DNS server consults with to resolve the DB FQDN to its endpoint private IP address.

** Important point to know is Azure doesn’t allow access to its default DNS server (169.63.129.16) from any server outside Azure. This is the only reason we need to create a forwarder server in Azure.

On-premises forwarding to Azure DNS
Architecture for using On-Prem DNS to resolve Azure Private Endpoint

Leave a Reply