1

I have created an Azure Resource Group with a virtual network, a virtual network gateway, a blob storage and a private endpoint for the blob storage. I have configured the storage account to only accept connections from private endpoint.

In order to access the blob storage I configured a point-to-site VPN tunnel to the virtual network gateway and connected to it.

The connection to the vpn has been established successfully, however, I'm still not able to connect to the blob storage. I get the following error message:

Error Message

I'm trying to do this via azure-portal in the browser: test blob connection

It seems like the connection towards the blob storage is still established with my public ip instead of the private ip assigned to my vpn connection:

vpn connection

I have a vague guess that maybe I need to adapt the DNS or add a NAT rule to make sure that traffic from my local pc is actually routed over the vpn to the private endpoint and not using the public endpoint despite the fact that the tunnel is open... Unfortunately I have no idea how to do that.

I'm quite a noob concerning network-related knowledge so I was not able to perform any further debugging on my own. I think it is a fairly simple task and I'm just missing something obvious.

It would be great if someone could point me in the right direction.

Thanks!

SimonK
  • 33
  • 6

2 Answers2

1

You have two options to make this work.

1 - Use hostfile and update the Storage Account FQDN to resolve to the private endpoint's IP.

2 - Use custom DNS server deployed in Azure as DNS forwarder and forward the requests to Azure Wireserver IP. Refer : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder enter image description here

P.S: The above requires you to add DNS suffixes and custom DNS servers to the Azure VPN Client configuration file.

Kapil Ananth
  • 126
  • 3
  • Sorry that I did not answer: I had to solve the issue quickly since there was a deadline. In the end I went with a completely different approach. At some point I will try out your solution but right now I unfortunately have no time to rebuild the architecture – SimonK Aug 02 '23 at 15:03
0

I tried to reproduce the same in my environment I got the results successfully like below:

enter image description here

To resolve this issue, Check the below workarounds:

The private endpoint is blocked public access for this storage account, the only way to access from the network create a virtual machine in the same network and deployed Azure Bastion like below:

enter image description here

enter image description here

Created a storage account with a private endpoint like below:

enter image description here

Once, I connected with Bastion in browser login with my Azure portal -> storage account I am able to connect to blob private endpoint successfully like below:

enter image description here

To Check the private endpoint's DNS name use nslookup command like below:

enter image description here

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Hi, thanks a lot for the help. Unfortunately, the idea was to use a point-to-site VPN in order to not be required to use a virtual machine to access the resources in the VNET. I thought by connecting via the tunnel, my local pc would get an internal ip address of the VNET and therefore would be able to communicate with the private endpoint of the blob storage. – SimonK Apr 06 '23 at 05:40
  • Maybe one needs to add a nat rule of adapt the DNS to make sure that the private endpoint is used from my local pc instead of the public endpoint? – SimonK Apr 06 '23 at 06:15
  • Check the DNS settings on your computer to make sure they are configured to use a DNS server, and then try connecting to your storage account using a private IP address rather than a DNS name. Confirm that the traffic to the storage account is being routed over the VPN by looking at the routing tables on your computer. Make sure that the firewall rule for the storage account is configured to allow traffic from the VPN network – Imran Apr 17 '23 at 08:29