Unable to use Azure Private Endpoints with On-Prem DNS server!!

I have come across a use case where I want to connect Azure Database Service like SQL using Private endpoint and the connectivity is initiated from an on-prem VM which is pointing to my on-prem local DNS server.

* You Should already have connectivity to on-prem from Azure networK VIA Express route or VPN

Problem Statement

You should be having your local on-prem DNS server and when trying to connect to Azure Services using private endpoint you will fail to do so. If your on-prem DNS forward queries to public DNS servers you will get public IP of your Azure Resource and won’t be able to connect to the required service with private IP as your on-prem DNS won’t be able to resolve the endpoint DNS name to it’s associated private IP address hence failing the whole purpose of using private endpoints.

Solution

You need to set up your infrastructure to make this happen. Below are the steps:

  1. Setup conditional forwarding under your on-prem DNS server to forward specific domain queries to the forwarder server created under step 1. 
    • Conditional Forwarding should be made to the public DNS zone forwarder. E.g. database.windows.net instead of privatelink.database.windows.net
  2. Create a DNS forwarder VM in Azure and configure it to forward all queries to the Azure default DNS server
  3. Create Private DNS Zone for endpoint domain name in the same VNet as your Azure DNS forwarder server and create an A record with Private endpoint information (FQDN record name and private IP address)
    • The Private DNS zone is the resource with which the Azure DNS server consults with to resolve the DB FQDN to its endpoint private IP address.

** Important point to know is Azure doesn’t allow access to its default DNS server (169.63.129.16) from any server outside Azure. This is the only reason we need to create a forwarder server in Azure.

On-premises forwarding to Azure DNS
Architecture for using On-Prem DNS to resolve Azure Private Endpoint

Leave a Reply