I have an Azure storage account with public IP address and can resolve this name using both nslookup and Resolve-DnsName. Output below, truncated for brevity.
C:>nslookup stgweb.blob.core.windows.net
Name: blob.syd25prdstr01a.store.core.windows.net
Address: 20.60.72.36
Aliases: stgweb.blob.core.windows.net
Resolve-DnsName -Name stgweb.blob.core.windows.net
Name : blob.syd25prdstr01a.store.core.windows.net
QueryType : A
TTL : 60
Section : Answer
IP4Address : 20.60.72.36
When I create a private endpoint the private IP address resolves correctly from an Azure VM in both nslookup and Resolve-DnsName. But I can no longer resolve the public name from outside of Azure using Resolve-DnsName, but can using NSlookup.
C:>nslookup stgweb.blob.core.windows.net
Name: blob.syd25prdstr01a.store.core.windows.net
Address: 20.60.72.36
Aliases: stgweb.blob.core.windows.net
stgweb.privatelink.blob.core.windows.net
PS>Resolve-DnsName -Name stgweb.blob.core.windows.net
Resolve-DnsName: stgweb.blob.core.windows.net : DNS name does not exist.
But Resolve-DnsName will resolve the blob.syd25prdstr01a.store.core.windows.net name
PS>Resolve-DnsName -Name blob.syd25prdstr01a.store.core.windows.net
blob.syd25prdstr01a.store.core.windows.net A 60 Answer 20.60.72.36
Why is this, is there a way to get Resolve-DnsName to work correctly like NSlookup? Its not just storage accounts its anything with a private endpoint that fails.
• When you enable the private endpoint for a storage account, a private DNS zone is created with the name of ‘privatelink.blob.core.windows.net’ in which an ‘A’ host record is created for the storage account with a private IP address assigned as shown below: -
This is created along with a private NIC configuration as below wherein it is implied or deployed that the private DNS integration for the NIC created is associated with the storage account as well as with the private link created for it due to which when you are trying to resolve the FQDN of the storage account, i.e., ‘kartikbstor.blob.core.windows.net’, it will not be accessible since it is privately associated with the IP address in the virtual network associated. Therefore, only when you try to ‘nslookup’ for the ‘CNAME’ record created by you, i.e., ‘blob.syd25prdstr01a.store.core.windows.net’ after creating private endpoint, it is not accessible since the private link DNS configuration takes into effect after private endpoint creation.
• As the ‘nslookup’ from inside the Azure VM searches for the DNS entries in the respective virtual network’s private DNS zone only due to which the DNS ‘A’ record related to the private link are relayed back and the DNS resolution regarding it takes place. Similarly, when you hit the ‘Resolve-DNS’ command after creation of the private endpoint, this command tries to search for the ‘CNAME’ record, i.e., ‘blob.syd25prdstr01a.store.core.windows.net’ in the private DNS zone which is found but the public DNS name is not accessible any longer since its FQDN is no longer available in the private DNS zone created due to private link creation.
Therefore, when you create the private endpoint for a storage account, the public DNS entries are not accessible from inside the virtual network’s resources, i.e., Azure VM and instead are accessible from the public internet*.
For more detailed information, kindly refer to the below link: -
https://learn.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname?view=windowsserver2022-ps
Related
I would appreciate any help with the proper set up of On-premises workloads using a DNS forwarder in Azure. I've followed the link below and have it works for my on-prem network to connect to the resources that have private end points int the VNET in Azure. What does not work is if we try to connect to other resources that have private end points but we want to connect to through their public endpoints.
Example:
We have a resource secnetwork1.blob.core.windows.net that we have a private endpoint for and our on-prem DNS server forwards traffic to a VPN linked VNET. Everything works fine, we get the expected 10.X.X.X address returned instead of the public address. We want to connect to a different someothercompanies.blob.core.windows that is not part of our network. When our on-prem resources look for that they get the following response from a nslookup:
nslookup someothercompanies.blob.core.windows.net
Server: 168.63.129.16
Address: 168.63.129.16#53
Non-authoritative answer:
someothercompanies.blob.core.windows.net canonical name = someothercompanies.privatelink.blob.core.windows.net.
** server can't find someothercompanies.privatelink.blob.core.windows.net: NXDOMAIN
Link: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
It is my thought that even though we have a private end point with a private link set up and a DNS forwarder we should still be able to talk to other companies blobs that are open to the internet, even if that company has a private endpoint and private link set up for its own internal use. Imagine we are getting data from a 3rd party company and that company delivers it via a blob that they have an internal private endpoint and private link setup to access internally for their own use. My guess is that our DNS forwards are not set up correct.
Lastly I've set up a github repo that mocks up this issue using terraform here: https://github.com/westridgegroup/wrg-terraform-networking
Once reading this statement on MS website I believe what I was trying to accomplish is impossible.
"Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence."
MS Link: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration
I've set up a private endpoint for an Azure Storage Account. Now, It all creates the private endpoints and private links for me.Also, I am able to access my storage account(storageaccountA) directly from VM which is in same event.
Now, on Nslookup from my VM
nslookup storageaccountA.blob.core.windows.net
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: storageprivate.privatelink.blob.core.windows.net
Address: 10.0.0.4
Aliases: storageaccountA.blob.core.windows.net
Now, To resolve this "storageaccountA.blob.core.windows.net"
The mapping from "storageaccountA.blob.core.windows.net" to this "storageprivate.privatelink.blob.core.windows.net" should be done in the private DNS record.
But when I see the DNS Record there is only A record i.e.
storageprivate | A | 3600 | 10.0.0.4
So, my question is how this "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4. When there is no such record or mapping exists?
When you create a private endpoint for your Storage account, a Private DNS zone called "privatelink.blob.core.windows.net" is created. In Azure's infrastructure, a CNAME is added to the "blob.core.windows.net" internal zone that resolves to the A record of "storageaccountA.privatelink.blob.core.windows.net ".
This allows you to use the standard FQDN of "storageaccountA.blob.core.windows.net ", but still access the storage account through the Private Endpoint's private IP address.
The mapping from "storageaccountA.blob.core.windows.net" to "storageprivate.privatelink.blob.core.windows.net" is done internally and is managed by Azure.
Please refer the below articles for more information:
https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints
https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios
I tested the scenario in my environment and it was the same for me.
how this "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4. When there is no such record or mapping exists?
After creation of private endpoint in the Storage Account, you can check the DNS configuration section of the private endpoint. The mapping of "storageaccountA.blob.core.windows.net" to 10.0.0.4 is done by default. So, "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4
I'm trying to set up MailTrain (a newsletter application) on an Azure VM. I created a resource group with the virtual machine, a virtual network, a network interface, a network security group, a public ip adress and a private DNS zone.
MailTrain expects three URL endpoints which all point to the same IP adress. For testing purposes I would like to create internal endpoints which all point to the VM. I played around with DNS entries in the DNS zone, but it doesn't work as I expected.
The name of the private DNS zone is equal to the DNS name of the VM's public IP adress. The private DNS zone and the VM are linked with the virtual network link and auto registration is enabled. The virtual network contains a default subnet. I created an A entry for "lists" pointing to the VM's internal IP adress and a CNAME entry for "sbox" pointing to the DNS name of the public IP adress. Inbound rules for the ports 80 and 443 were added to the netwwork security group.
The console shows me the following message while running the installation script:
Domain: lists.xxx.cloudapp.azure.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
lists.xxx.cloudapp.azure.com - check that
a DNS record exists for this domain
Domain: sbox.xxx.cloudapp.azure.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
sbox.xxx.cloudapp.azure.com - check that a
DNS record exists for this domain
Domain: xxx.cloudapp.azure.com
Type: unauthorized
Detail: Invalid response from
https://xxx.cloudapp.azure.com/.well-known/acme->challenge/VIjYMd-Uic_T2lQBl4vSyy9Va46-yVxmTA8SSE3f8J8
[xxx.xxx.xxx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>503 Service
Unavailable</title>\n</head><body>\n<h1>Service"
Followed that quick start, you just need to create three DNS records in your public domain DNS zone.
Please note that there is public DNS and private DNS in Azure. In this case, I assume you have created a private DNS zone for internal endpoints. To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Additionally, you can also enable autoregistration on a virtual network link. If you enable auto registration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in the private zone. Or, you can manually create an A record to map to your VM's private IP address in the zone and create other CNAME records to map to the other internal endpoints.
As a best practice, do not use a .local domain for your private DNS zone. Not all operating systems support this.
In addition, you need to add inbound ports 80, 443 in your network security group that associated with the Azure VM subnet or NIC.
Update
For an internal test, you can use a private DNS zone because the DNS records in a private Zone can only be resolved in a virtual network it can not be resolved over the Internet, you could select the local installation in this scenario.
For example, I create a private DNS zone named contoso.com,
After local install, you can access the website via the trusted endpoint http://localhost:3000, then you should access the other endpoints in the VNet instead of access external.
However, if you want to use it for public access, you could select to install a public website secured by SSL. In this case, you need to purchase a domain and add the related DNS records to the DNS zone in the respective DNS provider. Azure DNS zone supports host your public domain zones in Azure.
I followed instructions as per https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-storage-portal
Weirdly the blob GET requests only seem to work when using FQDN and not the direct private IP.
The private IP assigned to mystorageaccount.blob.core.windows.net is 10.0.0.5
GET requests to https://mystorageaccount.blob.core.windows.net/samplecontainer/1.png and https://mystorageaccount.privatelink.blob.core.windows.net/samplecontainer/1.png both work without issues and both get mapped to remote address 10.0.0.5:443
However, GET request to https://10.0.0.5/samplecontainer/1.png gives a 400 - Bad Request - Invalid Hostname error.
As I know, even if you access the Storage account without a private endpoint to download the blob, you also cannot use the IP address. Azure needs to resolve the blob endpoint via the domain name.
For the private endpoint for the storage account, the private link is also set by Azure. And the private IP address just provides a tunnel to connect the storage from the VNet. So you can access the storage blob via the domain name of the storage blob or the private link, but private IP address not.
I have resource group on azure containing virtual machine and kubernetes and load balancer and public ip address and etc.
I can access to my kubernetes app with direct public ip or public ip dns name. But problem is that i can't get azure custom dns (dns zone) working for my public ip. e.g. myapp.com
I have tried to assign public ip address in dns zone but not getting custom dns name working for my app.
2 options:
1. A record that points to public ip address explicitly
2. CNAME record that points to azure "internal" dns name
From the description it looks like you haven't updated the name server settings of your domain (e.g. myapp.com) to use Azure DNS's name servers (where you have created a zone for that domain name) for query resolutions.
The article linked below has instructions on how to do it. Please let us know if this answers your question.
https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns