1

Context

I have a hub-spoke network architecture in Azure and the hub vnet has a site-to-site VPN connection with on-premise.

I have a storage account that I want to access privately. So, I created a private endpoint in the spoke vnet and I connected the hub vnet with the privatelink.blob.core.windows.net private DNS zone.

To resolve the storage account private link from on-prem, I added an Azure Firewall in the hub vnet acting as a DNS proxy and all traffic for privatelink.core.windows.net is sent to this firewall.

This setup is summarized here.

Problem

When I do a nslookup [xxx].blob.core.windows.net, the first time I get the storage account private IP. BUT, subsequently, I get the storage account public IP.

Question

How is this possible ?

My guess

First attempt

  • Client sends request for [xxx].blob.core.windows.net to the on-prem DNS server
  • The on-prem DNS server forwards the request to the hub firewall
  • The hub firewall forwards the request to Azure DNS
  • Azure DNS responds that [xxx].blob.core.windows.net is a CNAME for [xxx].privatelink.blob.core.windows.net which in turn is a CNAME for blob.[yyy].store.core.windows.net and resolves to the private IP

Subsequent attempts

  • Client sends request for [xxx].blob.core.windows.net to the on-prem DNS server
  • The on-prem DNS server sees in its cache that [xxx].blob.core.windows.net is a CNAME for blob.[yyy].store.core.windows.net and tries to resolve that name
  • The on-prem DNS server resolves the public IP
flappy
  • 173
  • 1
  • 4
  • 12
  • On the On-prem dns server, have you tried forwarding DNS requests for blob.windows.net instead of privatelink.blob.windows.net ? – Theo F Jul 27 '23 at 17:09

2 Answers2

0

When you create a private endpoint for the storage account, it doesn't mean the storage account can't be accessible from the Internet. It only means you can access the storage account from both VNet and Internet. You can understand it from the screenshot below:

enter image description here

So if you only want the storage account to be accessible only from the hub VNet, you need to change the Allow access from into Selected networks, and the selected network in the hub VNet.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thank you for the response. In my case, the access is only allowed from selected networks and no virtual network is selected below because I don't want to talk to the storage account via its public endpoint. However, I have two private endpoint connections: one for blob and one for dfs. – flappy Jun 23 '21 at 07:38
  • @flappy OK, then you need to add the network rule to set the default action with Deny, and only allow the traffic from the selected VNet. Steps [here](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-cli#managing-default-network-access-rules). Then you can only access the storage account from the VNet, not the Internet. – Charles Xu Jun 23 '21 at 08:22
0

I have the same problem, and found someone may have solved it by adding DNS configuration to Azure VPN Client (on Windows). resolving private dns zone over point-to-site I have not tried this solution myself but found a workaround by adding mapping entry to host file in C:Windows/system32/driver/etc system folder.

The Long Nguyen
  • 92
  • 1
  • 9