Share via

azure private endponit and private dns zone not working on different subscription?

thanakrit rungchatkamol 1 Reputation point
2024-12-13T04:00:14.61+00:00

Hi All,

I have issue about all azure service disable public access and enable private endpoint access only. I've 2 subscription, i deploy azure services for support ai search solution on subscriton A as spoke network and subscription B as Hub network connectivity service deployment. in subscription A and i has enable private endpoint on those services such as Web app, MySQL, AI Search and etc.

but when enabled private endpoint and disable public access for all services. i get error massage "Error Status: 400 : E1-D0038:Exception while generating response stream: Cannot connect to host xxxx.privatelink.search.windows.net:443 ssl:True [SSLCertVerificationError: (1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'xxxx.privatelink.search.windows.net'. (_ssl.c:1007)")]"

what's wrong configuration? Private DNS zone deploy on subscription B but azure service for support all ai solution deploy on subscription A including virtual network (Vnet peering form subscription A to subscription B already)

error message like can't resolve DNS because we use Private DNS zone and Private Endpoint in different subscription? How should I fix this?

BR,

Thanakrit

Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,126 questions
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
878 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Laxman Reddy Revuri 1,285 Reputation points Microsoft Vendor
    2024-12-18T03:58:48.31+00:00

    Hi @thanakrit rungchatkamol
    Thanks for the question and using MS Q&A platform.
    1.Ensure there's appropriate peering in place for the virtual networks for subscriptions A and B to secure, safe communication between those two networks for private endpoint access.
    2.Private DNS Configuration : It should be assured the private DNS zone exists and has been linked appropriately for Subscription B. Through it, the private endpoints of a DNS name resolution happens as expected.
    3. Using nslookup command to check whether the Private DNS zone of Subscription B resolves private endpoint DNS names. If this fails to resolve, it will not work.
    4. Using OpenSSL, verify the SSL certificate for your private endpoint is valid and matches the expected hostname, otherwise SSL errors can result.
    5.Test that the private endpoint in subscription A is set up properly to use the correct private DNS zone in subscription B, or DNS resolution and access simply will not work if improperly linked.
    references:
    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration
    https://learn.microsoft.com/en-us/azure/machine-learning/how-to-troubleshoot-secure-connection-workspace?view=azureml-api-2&source=recommendations

    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.