Azure_private_endpoint

Playing with a private endpoint in Azure

I had some trouble with a private endpoint earlier this week, so I decided to try to figure out why. The problem was that the private endpoint did not resolve to a private IP address in Azure. The solution was quite easy. The virtual network where the resources are, needs to have the Azure DNS, or else you will need a DNS resolver.

My test setup has the following Azure resources

  • Virtual Machine
  • Virtual network
  • Public IP address
  • Disk
  • Network Interface
  • Network Interface
  • Network Security Group
  • Private Endpoint - linked to the storage account
  • Private DNS Zone
  • Storage Account - A blob is created in the storage account. Public access to blobs is turned off and the network is set to disabled. Connecting using a shared key.

First test with Azure DNS on the virtual network.

In this first test I set the DNS configuration on the vnet I created to be default. Default is that the vnet is using the Azure DNS.

I log into the virtual machine in Azure, and run the following command:

nslookup satestrhnor.blob.core.windows.net

nslookup

I can see that the storage account has a private IP address. I can now connect to the blob using for example Azure Storage Explorer. If I try to run the same command from my local Windows machine I get this result:

nslookup

From my local machine, the IP address is one of the public IP’s that Azure Storage Accounts are using. I am not able to connect to the storage blob from my local machine. This is the error message I got:

This request is not authorized to perform this operation.

This storage account's 'Firewalls & virtual networks' settings may be blocking access to storage services. 
Try adding your client IP address to the firewall exceptions, or by allowing access from 'all networks' 
instead of 'selected networks'. To learn more about Azure Storage firewalls and virtual networks, 
visit http://go.microsoft.com/fwlink/?LinkId=845443.
.....

Second test with 8.8.8.8 as DNS on the virtual network

Now i modify the vnet DNS to 8.8.8.8. You may need to restart or flush DNS before the DNS setting is updated on your virtual machine.

changed dns

And if I run nslookup from my virtual machine in Azure i get this:

nslookup

And I am not able to connect to the storage blob.

Conclusion

If a private endpoint is used in Azure, either use Azure DNS on the vnet or if you are using custom DNS on the vnet, then you need to configure a DNS resolver that can resolve to the private IP.

Storage Private Endpoint - The DNS changes for private endpoints explains how DNS is working for private endpoints.

Azureprivate endpointnetworkstorage accountvirtual machine