Entra Storage Account Private Endpoint Issues

Question

We have one storage account in Entra and I created a private endpoint and during the setup I let Entra create the private DNS zone. Our network team has already setup the S2S VPN between Entra and onprem. On the onprem DNS server I created a conditional forwarder that points file.core.windows.net to 168.68.129.16. When I do a resolve-dnsname against the storage account it comes back with the public IP. I am hoping I do not have to create a DNS server in Entra for this. Anyway even after using a local host file to force the device to use the private IP test-netconnection still fails for port 445 for the test share I created.

Any thoughts????

Answer 1

Hi @rr-4098,

Welcome to Microsoft Q&A, thanks for posting your query.

It looks like you are experiencing issues with DNS resolution for your Azure storage account's private endpoint. Here are few steps to follow that may solve your issue

DNS Forwarding: You have mentioned in the above information that creating a conditional forwarder on your on-premises DNS server that points file.core.windows.net to 168.68.129.16. However, the correct IP address for Azure private DNS is 168.63.129.16. Please verify that you are using the correct IP address.

Private DNS Zone: Since you allowed Entra to create the private DNS zone, ensure that the private DNS zone created by Azure is correctly linked to your virtual network (VNet). You can check the private DNS zone for the necessary A and CNAME records that should resolve to the private endpoint's IP address. private DNS zone.
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints

Testing DNS Resolution: To test if your setup is correct configured or not, you can run the Resolve-DnsName command from your on-premises environment. Ensure that it resolves to the private IP address of the private endpoint.

Port Connectivity: If you are still facing issues with Test-NetConnection failing for port 445, verify that your network security groups (NSGs) and firewall settings allow traffic on that port. Additionally, check that the private endpoint is correctly configured, and that the storage account is accessible through the private endpoint.

Local Host File: While using a local host file can force a device to resolve to a private IP, it's generally not recommended for production environments. Instead, focus on ensuring that your DNS configuration is correct.

If these steps do not resolve your issue, you may need to consider setting up a DNS server within your Azure environment to manage DNS resolution more effectively.
Configuring DNS forwarding for Azure Files
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-endpoints?tabs=azure-portal#verify-connectivity
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview#private-endpoints
Hope the above answer helps! Please let us know do you have any further queries.

Answer 2

Hi @rr-4098 , here's the summary of issue and solution.

Issue:

• Created a storage account in Azure and configured private endpoint for the Azure Files in the storage account.
• On-premises site is connected to Azure using site-to-site VPN.
• On-premises client failed to connect using private endpoint.
• No firewalls and NSG.

Solution:

• DNS: add an entry in local hosts file by mapping <storage-account-name>.file.core.windows.net to the private endpoint's IP address.
• Routing: test network routing between on-premises client to Azure, and vice versa. Add entries in routing tables accordingly.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.