0

I am trying to access resources that are secured behind private endpoint from a remote location using an Azure VPN Point-to-Site connection.

So far I have setup a conditional forwarder to send DNS requests to Azure's internal DNS IP address (168.63.129.16). With my setup I can resolve all my private endpoints using nslookup to their private IP addresses. I can also connect to services such as SQL server from my local machine (using SQL Server Management Studio in the case of SQL server).

The problem I am facing is that I can only access resources if I use a desktop client for a given service. If I try to do anything using the Azure Portal, I get an error stating that I cannot access resources using my Public IP address without adding it as an inbound IP address. Whilst this is certainly an option, I don't want to go down this road.

I am hoping there is an option where I can connect to private endpoint resources from Azure Portal whilst connected to my point-to-site VPN. Any ideas?

azure-techie
  • 1
  • 2

1 Answers1

0

So far I have setup a conditional forwarder to send DNS requests toAzure's internal DNS IP address (168.63.129.16). With my setup I can resolve all my private endpoints using nslookup to their private IP addresses. I can also connect to services such as SQL server from my local machine (using SQL Server Management Studio in the case of SQL server.

AfAIK, the process which you are doing is correct, To fix this issue try to update the local host file on client desktop to deploy a recourse with private endpoint please refer this link for more in detail

  • By default when you create a Private Endpoint in the Azure Portal it will automatically lock out public access. Service Endpoints operate by adding routes to allow traffic out of the virtual network to reach the public endpoint of the service selected. If you are access resources error, update firewall rules to communicate with your Azure resources you really need to configure v-net traffic on the firewall settings

  • Next option is conditional forwarder, in your scenario the ble from every v-net, its public ip it won't overlap with any private ips, it available from inside of azure v-net unique to each

  • In conditional for forwarder, client asks the ip of a host like www.seraltos.com .The dns server looks to see the answer if knows, if not a lookup will done based on root servers or forwarder to find the ip address returns that to the client

For more information in detail, please refer below links:

Private Endpoints and DNS in Azure & Cannot access my own public IP

https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint?tabs=manage-private-link-powershell

Imran
  • 3,875
  • 2
  • 3
  • 12