Config Azure Firewall DNS for private endpoint without using Azure Private Resolver

lucas 25 Reputation points
2025-01-07T13:29:49.1366667+00:00

Hello,

Lately I config a system like below

devops-flow-Page-224

Here is some description:

We have 3 Vnet:

  1. VNet test (172.22.0.0/16). Inside this subnet, I set up a subnet(172.22.0.0/24) and a VM test inside this subnet
  2. VNet Hub (10.18.0.0/16): inside this subnet I config 3 subnets:
    1. Subnet VPN (10.18.2.0/24) - I set up a Site to Site VPN
    2. Subnet Firewall (10..18.1.0/24)
    3. Subnet test hub (10.18.0.0/24)
  3. VNet Spoke (10.12.0.0/16 )inside this subnet I config a subnet application(10.12.0.0/24). This subnet I set up a VM Spoke(Just has private IP) and a storage account(I config an private endpoint, when I check. the private dns of this storage account is mysaml.privatelink.blob.core.windows.net and the private IP is 10.12.0.5

I also set up peering between 2 VNet: Vnet Hub and Vnet Spoke. I also enable network transit between two Vnet like this link: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

I also set up 2 route tables:

  1. UDR hub to spoke: attach to subnet VPN(10.18.2.0/24) of Vnet Hub (10.18.0.0/16) and has below route:
    1. Destination type: IP addresses
    2. Destination IP addresses/CIDR range: 10.12.0.0/16 - this is spoke Vnet address space
    3. Next hop type: Virtual appliance
    4. Next hop address: Firewall's private IP
  2. UDR spoke: attach to subnet application (10.12.0.0/24) of Vnet Spoke(10.12.0.0/16) and has below route:
    1. Destination type: IP addresses
    2. Destination IP addresses/CIDR range: 172.22.0.0/16 - this is test Vnet address space
    3. Next hop type: Virtual appliance
    4. Next hop address: Firewall's private IP

In Azure Firewall, I config network rule that allows connect RDP

User's image

On VM test inside Subnet test (172.22.0.0/24) , I also create VPN Site to Site by using Routing and Remote Access which can view on this video guide: https://youtu.be/_sXNMpelCAo?t=963

The VPN connection works fine, from VM test I can connect to

  • VM Hub (subnet: 10.18.0.0/24 )
  • VM Spoke (subnet: 10.12.0.0/24 )

Now from VM Test, I need to connect to Storage Account via private endpoint (mysaml.privatelink.blob.core.windows.net and the private IP is 10.12.0.5) . I understand that I need to use Azure Firewall DNS proxy to do that, my project doesn't allow to use Azure Private Resolver.

So I enable Azure DNS Proxy like below:

User's image

Inside VM test, I add Conditional Forwarders blob.core.windows.net on DNS manager

User's image

I also config a Forward Lookup zones privatelink.blob.core.windows.net which has A record is the name of storage account and the private IP 10.12.0.5

User's image

Below is the private DNS of storage account on Azure portal

User's image

When I try to connect to storage account on the Azure portal by using VM test, I cannot connect

On Vm test, I also try to use nslookup command. the result is like blow

User's image

It should returns the private IP of storage account (10.12.0.5) right.

Could you help me to check this? I look for a guide on Microsoft document and found a link but it seam the content has been removed https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
720 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
709 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Patapati 3,130 Reputation points Microsoft Vendor
    2025-01-08T11:14:29.7266667+00:00

    Hello lucas

    Good day!

    Thank you for your response.

    Based on the provided details, it appears that the resolution is occurring over the Public DNS of Azure.

    To resolve the DNS query over the Private DNS zone, please follow the steps outlined below.

    1. Deploy a custom DNS server in the Hub Vnet.
    2. Configure a forwarder in the DNS server to direct requests to the Azure Private DNS Zone (168.63.129.16).
    3. Ensure DNS resolution occurs via the Azure Private DNS Zone.
    4. Add a forwarder from on-prem DNS server to custom DNS server in the Azure and add another forwarder from Azure custom DNS server to Azure private DNS zone.

    If you have a custom DNS server in Azure,

    image (30)

    You can also use the following options to configure your DNS settings for private endpoints:

    Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.

    Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.

    Use Azure Private Resolver (optional). You can use Azure Private Resolver to override the DNS resolution for a private link resource. For more information about Azure Private Resolver, see What is Azure Private Resolver?.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

    By setting up a DNS forwarder in your Azure Hub VNet, you can resolve private DNS zones from your on-premises network without using Azure Private Resolver. This solution allows you to maintain control over your DNS settings while ensuring connectivity to Azure Private Endpoints


    Hope this clarifies!

    If above is unclear and/or you are unsure about something add a comment below.

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Ganesh


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.