0

I've set up a private endpoint for an Azure Storage Account. Now, It all creates the private endpoints and private links for me.Also, I am able to access my storage account(storageaccountA) directly from VM which is in same event.

Now, on Nslookup from my VM

nslookup storageaccountA.blob.core.windows.net Server: UnKnown Address: 168.63.129.16

Non-authoritative answer: Name: storageprivate.privatelink.blob.core.windows.net Address: 10.0.0.4 Aliases: storageaccountA.blob.core.windows.net

Now, To resolve this "storageaccountA.blob.core.windows.net"

The mapping from "storageaccountA.blob.core.windows.net" to this "storageprivate.privatelink.blob.core.windows.net" should be done in the private DNS record.

But when I see the DNS Record there is only A record i.e.

storageprivate | A | 3600 | 10.0.0.4

So, my question is how this "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4. When there is no such record or mapping exists?

girishsuri
  • 41
  • 5

2 Answers2

2

When you create a private endpoint for your Storage account, a Private DNS zone called "privatelink.blob.core.windows.net" is created. In Azure's infrastructure, a CNAME is added to the "blob.core.windows.net" internal zone that resolves to the A record of "storageaccountA.privatelink.blob.core.windows.net ".

This allows you to use the standard FQDN of "storageaccountA.blob.core.windows.net ", but still access the storage account through the Private Endpoint's private IP address.

The mapping from "storageaccountA.blob.core.windows.net" to "storageprivate.privatelink.blob.core.windows.net" is done internally and is managed by Azure.

Please refer the below articles for more information: https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#dns-changes-for-private-endpoints https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios

Gitarani Sharma
  • 735
  • 3
  • 4
1

I tested the scenario in my environment and it was the same for me.

how this "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4. When there is no such record or mapping exists?

After creation of private endpoint in the Storage Account, you can check the DNS configuration section of the private endpoint. The mapping of "storageaccountA.blob.core.windows.net" to 10.0.0.4 is done by default. So, "storageaccountA.blob.core.windows.net" is resolved and return the IP address 10.0.0.4

enter image description here

RamaraoAdapa
  • 2,837
  • 2
  • 5
  • 11