I would appreciate any help with the proper set up of On-premises workloads using a DNS forwarder in Azure. I've followed the link below and have it works for my on-prem network to connect to the resources that have private end points int the VNET in Azure. What does not work is if we try to connect to other resources that have private end points but we want to connect to through their public endpoints.
Example: We have a resource secnetwork1.blob.core.windows.net that we have a private endpoint for and our on-prem DNS server forwards traffic to a VPN linked VNET. Everything works fine, we get the expected 10.X.X.X address returned instead of the public address. We want to connect to a different someothercompanies.blob.core.windows that is not part of our network. When our on-prem resources look for that they get the following response from a nslookup:
nslookup someothercompanies.blob.core.windows.net
Server: 168.63.129.16
Address: 168.63.129.16#53
Non-authoritative answer:
someothercompanies.blob.core.windows.net canonical name = someothercompanies.privatelink.blob.core.windows.net.
** server can't find someothercompanies.privatelink.blob.core.windows.net: NXDOMAIN
Link: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
It is my thought that even though we have a private end point with a private link set up and a DNS forwarder we should still be able to talk to other companies blobs that are open to the internet, even if that company has a private endpoint and private link set up for its own internal use. Imagine we are getting data from a 3rd party company and that company delivers it via a blob that they have an internal private endpoint and private link setup to access internally for their own use. My guess is that our DNS forwards are not set up correct.
Lastly I've set up a github repo that mocks up this issue using terraform here: https://github.com/westridgegroup/wrg-terraform-networking
