Resolving DNS names for Azure private endpoint of another company, when using private endpoint ourselves

Arnaud Rigole 141

Hello,

It was hard to find an explicit title for that issue...

We got a DNS server hosted in Azure which serves as a relay/conditional forwarder for the private DNS zones we have in our Azure tenant. Following the Microsoft documentation for private endpoints DNS resolution, the conditional forwarding for these private DNS zones is sent to the Azure DNS 168.63.129.16. Among these private zones we got this privatelink.blob.core.windows.net, which is used by the private endpoints you can create for your storage accounts. At this point, everything works and we can resolve DNS names for our personalized private zones and privatelink... zones in Azure.

When you create a private endpoint on a publicly-accessible blob in storage endpoint, Azure adds a CNAME from the original "public" name mystorageaccount.blob.core.windows.net. to mystorageaccount.privatelink.blob.core.net. So when you request your storage account DNS name, it is translated to this privatelink FQDN and your private IP is returned.

The problem is that there are other people in the world which use Azure blobs & private endpoints. So when we try to resolve an external blob name which has a private link from our internal network , like someexternalstgaccount.blob.core.windows.net this is resolved as a CNAME of someexternalstgaccount.privatelink.blob.core.windows.net. So the DNS request is transfered to our own Azure DNS server/relay, which claims to handle the zone in its conditional forwarder privatelink.blob.core.windows.net. Finally, the name someexternalstgaccount is not found in our own tenant private DNS zone privatelink.blob.core.windows.net, and the request fails...

Every cases described here https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns does not mention the resolution of the example azsql1.database.windows.net from the outside of the corporate network...

What am i missing, how do you manage this ? You create conditional forwarding for all your FQDNs ?

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2022-09-20T17:13:31.993+00:00

Hi @Arnaud Rigole ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that we are not able to resolve Storage Accounts with private endPoints over Internet/External Network.

This issue was reproducible at my end.
I see this is a design limitation as of now.

When configured with Private DNS Zone, the resources are limited to the entries in that DNS Zone

Currently, the work around here would be to add the Public IP of the external storage account in the Private DNS Zone.
This might be useful if you have only a few external storage accounts.

Meanwhile, I shall see if there are any alternatives for this.

Please feel free to let me know should you have any follow-up questions on this.

Thanks,
Kapil.
Arnaud Rigole 141 Reputation points

2022-09-21T10:02:47.393+00:00

Hello @KapilAnanth-MSFT

Thanks for the answer.
Is there anything is the MS preconisations or roadmap for this behavior?

Following your suggestion, i could see that the external blob we tried to reach has another alias on it's public IP. Instead of an A record, I added it as a CNAME of the private endpoint name on our private DNS zone in Azure, it works...
KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2022-09-22T05:22:38.033+00:00

Hi @Arnaud Rigole ,

Currently, there are no work items on this behavior.
I shall try and see if this issue can be addressed internally.

I am glad you were able to use CNAME as well.
It's a better solution as IPs may change.

Please let me know if you have any queries I can address.

Cheers,
Kapil
Robin Hardstål 0 Reputation points

2023-03-07T14:20:01.22+00:00

Hi @KapilAnanth-MSFT

Are there any new developments regarding this?
KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2023-03-08T09:31:41.7933333+00:00

Robin Hardstål ,

I am afraid there are no updates I can share as of now.

Thanks,

Kapil
Anstey, Chris M 10 Reputation points

2023-06-16T16:45:21.6266667+00:00

Is the easy solution a design change from Microsoft like reference your Tenant in the private resolvers so something like privatelink.tenantname.azurewebsites.net
Jared E 0 Reputation points

2023-07-19T20:45:46.58+00:00

We are having the same issue. This seems like a very significant problem/limitation...
Christian Fosli 1 Reputation point

2023-11-21T11:52:36.9033333+00:00

We just hit this issue as well, after enabling private endpoints for an Azure API Management resource, and receiving feedback that some of our customers now get DNS-related network errors using our web app which talks to the Azure API Management gateway.

I expect this issue will become more prevalent now that private endpoint for azure api management has been GA for a little while. Since API's are often shared externally, but there are also advantages of connecting through private endpoints internally.
Joe Tauke 0 Reputation points

2024-05-21T17:56:17.06+00:00

Same issue (blob storage in our case). It's quite irritating that this has been a known problem for almost 2 years with no action to resolve it.
Sergio Padure 11 Reputation points

2024-06-28T12:27:34.2333333+00:00

Hi,

Are there any news on this issue? It's been 2 years since the issue has been reported and there doesn't appear to be any movement.
Josh Eliason 5 Reputation points

2024-10-09T20:56:16.0633333+00:00

@KapilAnanth-MSFT ,

Any updates on this now? Cub Foods' (a large grocery retailer in our region) platform must have recently published a privatelink for cubsaidpprod01.blob.core.windows.net for their online ordering which has broken employee's access to order groceries while at work for pick up on the way home. I understand adding a CNAME or IP address in our Private DNS will fix this one-off issue, but this is now the 3rd or 4th external vendor I've run into this issue with. Does adding 168.63.129.16 as a second IP address in our Conditional Forwarding Zone (our 1st IP address being our Private DNS resolver IP) take care of this issue, or do we still have to treat these issues as one-off things that have no permanent fix in sight?
KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2024-10-10T11:53:45.2666667+00:00
Josh Eliason ,

The recommendation is to use Private EndPoint whenever a private DNS Zone is involved.

Solution 2 from the doc I shared below

Additionally,

If the VNET uses Azure Wireserver IP and is linked to a Private DNS Zone - the Private DNS Zone will always take precedence.

To override this, you can update the NIC of the VMs to use a different DNS Server (either on Internet or your custom DNS Server VM running in Azure)

See : Add or change DNS servers

Or Solution 1 from the doc where we leverage public DNS

Cheers,

Kapil
Sergio Padure 11 Reputation points

2024-12-06T23:51:55.8666667+00:00

Microsoft has released a solution to this issue during this year's Ignite: https://learn.microsoft.com/en-us/azure/dns/private-dns-fallback

2 answers

KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee

2022-09-26T11:45:18.117+00:00

Hi @Arnaud Rigole ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that we are not able to resolve Storage Accounts with private endPoints over Internet/External Network.

Currently, this is a known issue.

You can refer to the suggestions and recommended solutions for this scenario here:
https://github.com/dmauser/PrivateLink/tree/master/Issue-Customer-Unable-to-Access-PaaS-AfterPrivateLink

Let me know if you require additional details on this.

Thanks,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Sergio Padure 11 Reputation points

2024-12-06T23:50:27.5366667+00:00

If anyone is still facing the issue Microsoft has released a solution during this year's Ignite: https://learn.microsoft.com/en-us/azure/dns/private-dns-fallback
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Resolving DNS names for Azure private endpoint of another company, when using private endpoint ourselves

2 answers

Your answer