How to setup point to site vpn to got access to azure resource by private link

Radek 1 Reputation point
2024-08-29T08:22:26.0566667+00:00

Hello

I setup vpn connection do azure using p2s with tunel type openvpn and authentication azure active directory. Client is able to conntect to vpn without issue.

Next i setup azure postgresql database with access by private endpoint and configured privatelink.postgres.database.azure.com endpoint.

In private dns zone is present recordset

privatednszone

ppp configuration after connect to vpn

ppp

route print

routeprint

private endpoint dns configuration

privateendpoint

but nslookup is not resolving the ip to the internal

nslookup

what i'm missing in my configuration to resolve name of postgresql to the internal ip correctly?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
691 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,557 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,509 questions
Azure Database for PostgreSQL
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Patapati 1,275 Reputation points Microsoft Vendor
    2024-09-02T07:34:22.1633333+00:00

    Hi Radek,

    Sorry for the Delay!!

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    It sounds like you’ve configured your VPN and PostgreSQL database with a private endpoint but are encountering issues with name resolution when trying to access the database. Here’s a checklist of things to verify and steps to troubleshoot this issue.

    1. Forwarding DNS Requests:

    Deploy a DNS forwarder VM within your VNet. This VM will forward DNS requests for privatelink.postgres.database.azure.com to the appropriate Azure DNS server for resolution.

    Custom DNS Servers: (Limited functionality)

    Edit the downloaded Azure VPN client configuration file (azurevpnconfig.xml) and add the custom DNS server IP address responsible for resolving private link names.

    Using a DNS Forwarder is the solution nowadays to resolve private DNS zones and it works fine.

    If you want a more in-depth documentation about it, you can go here:

    1. Protection against data leakage: A private endpoint is mapped to an instance of a PaaS resource instead of the entire service. Consumers can only connect to the specific resource. Access to any other resource in the service is blocked. This mechanism provides basic protection against data leakage risks.

    NOTE: Assumptions and needs for these scenarios are shown below as examples for Reference.

    • Below is diagram with the DNS name resolution flow from P2S VPN connection. The solution is broken down in two solutions where in first configuration is set DNS Server IP (Forwarder/Proxy) on VNET DNS settings, which is the easiest way to implement, and second solution is to specific DNS Server settings directly on Azure VPN client XML profile. The main reason to break down is two solutions is because having DNS settings at the VNET level does not affect only P2S VPN clients but also all resources deployed inside the VNET. Therefore, you may have the flexibility only to set that setting over VPN client XLM profile to only be used by those remote user VPN connections instead of affecting also resources deployed inside the VNET. Below you can review a reference diagram of this solution as well as traffic pattern for DNS name resolution and access to Private Endpoint:

    private-endpoint-dns-p2s-vpn

    • Specify DNS Server for the Virtual Network

    Specify DNS Setting at the VNET level as shown:

    vnet-dns-settings

    After you save the settings above you a reconnected-on Azure VPN Client will trigger it to learn DNS Server settings specified at VNET level as shown:

    azure-vpn-client-dns-vnet

    Name Resolution Validation

    Use PowerShell command:

    Resolve-DnsName -Name ["Storage account FQDN name"]- (DNS Only)

    For example, using storage account name is: dmcentralus.blob.core.windows.net output is:

    resolve-dnsname

    • Specify DNS Server inside VPN Client Profile:

    Download VPN Client profile to your computer and add DNS settings.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-windows#how-do-i-add-custom-dns-servers-to-the-vpn-client

    If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

    Looking forward to your response and appreciate your time on this.

    Regards,

    Ganesh

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.