How to connect to Azure Service Bus through Private Endpoint?

Question

I'm developing an application in our organization using C#/.NET(8.0) and have to use Azure Service Bus. My access in our organization's Azure account is mostly read-only, so I don't know actually how they created the instances. But I can see that the public network access is disabled, and they created a private endpoint for it. Naturally, I'm developing using a provided workstation. We are also provided with Azure VPN access in case we need to access some Azure services like MS SQL databases and Redis cache.

I just follow the sample here to test it out first using the provided primary connection string to me by the admin:

Endpoint=sb://[dev-envi-namespace].servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=[sharedkey]

I'm getting this error message: "Put token failed. status-code: 401, status-description: Ip has been prevented to connect to the endpoint."

But if I try the use the FQDN of the private endpoint for the connection string like this one:

Endpoint=sb://[dev-envi-namespace].privatelink.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=[sharedkey]

I'm getting this inner-most exception: "The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch"

I tried both approach using the provided Azure VPN access too, but I'm getting the same results. I'm not sure which connection string should I really use, and what else I can ask our Azure admin to configure so I can connect to the provided Service Bus instance. I think the created Private Endpoint and VPN connection are not in the same network or something, I might be able to check it with my limited access so I could point it out and shorten the troubleshooting.

Answer 1

Hey @Bergs

When you enable a private endpoint on a resource, a private DNS zone gets created and traffic to the original endpoint gets rejected. That's why you're getting the error above. What you can do is ask your Azure admin to add a CNAME record to privatelink.servicebus.windows.net private DNS zone. As for the "The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch" issue, it could be an access or configuration issue. If the VPN doesn't have access to the same VNet or the private DNS zone isn't associated with the VNet that would be an issue. It may also be a VNet peering issue as well, just depends on the existing configuration. Or it may be a misconfiguration with the endpoint itself where deleting it and recreating could resolve the issue.

I would verify the network configuration and setup a VM attached to the same VNet and see if you are able to successfully connect. If you are, then you know the issue is with the VPN access. If you aren't, then you know the issue is with the private endpoint. If the issue is with the endpoint and deleting/recreating it doesn't resolve the issue, comment down below.

For a guide for configuring private endpoint with service bus, see Integrate Azure Service Bus with Azure Private Link Service - Azure Service Bus | Microsoft Learn

Answer 2

Add this entry in your hosts file

[bus_private_endpoint_ip] [dev-envi-namespace].servicebus.windows.net