Securing your resources with Private Endpoints and setting up DNS resolution, both within Azure and On-Prem, are incredibly important components to ensure you create a secure environment, with resources that can be accessed across your hybrid environment.
Today we will look at setting up a private endpoint on a storage account in Azure and configuring DNS resolution for it using Private DNS Zone to resolve DNS within Azure and from our On-Prem networks.
Explanation of Features and Their Usage
Private Endpoint
A Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. It uses a private IP address from your VNet, effectively bringing the service into your VNet. Here are some key points about Private Endpoints:
- Secure Connectivity: Private Endpoints provide secure connectivity to Azure services by extending the VNet’s private address space.
- Isolation: They ensure that traffic between your VNet and the service remains on the Microsoft backbone network, eliminating exposure to the public internet.
- Support for Multiple Services: You can create Private Endpoints for various Azure services, such as Azure Storage, Azure SQL Database, and your own services.
- DNS Integration: Private Endpoints integrate with Azure DNS to provide name resolution for the private IP address of the service.
Private DNS Zone
A Private DNS Zone is a DNS zone that provides a DNS service for the private endpoint. It allows you to resolve the private IP address of the service. Here are some key aspects of Private DNS Zones:
- Custom Domain Names: You can use your own custom domain names rather than the Azure-provided names.
- Name Resolution Scope: The records contained in a Private DNS Zone are not resolvable from the internet. DNS resolution works only from virtual networks that are linked to the zone.
- Automatic Registration: You can enable autoregistration to automatically manage the lifecycle of the DNS records for the virtual machines deployed in a virtual network.
- Centralized Management: Private DNS Zones provide a centralized way to manage DNS records for your private endpoints.
DNS Resolution
DNS Resolution is the process of translating a domain name (e.g., mystorageaccount.blob.core.windows.net) into a private IP address. In the context of Azure, DNS Resolution works as follows:
- Azure-provided DNS: By default, Azure provides internal name resolution for VMs and role instances that reside within the same virtual network or cloud service.
- Custom DNS Servers: You can configure your own DNS servers to handle name resolution. These servers can forward queries to the Azure-provided DNS servers or an Azure DNS Private Resolver.
- Private DNS Zones: When using Private DNS Zones, Azure manages the DNS records, and you can use custom domain names for your services.
- Azure DNS Private Resolver: This service enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM-based DNS servers.
Step-by-Step Guide to Setting Up a Private Endpoint and DNS Resolution in Azure
Step 1: Create a Storage Account
First, create a storage account in Azure. This will be the resource for which you want to set up a private endpoint.
Step 2: Disable Public Network Access
For enhanced security, disable public network access on the storage account. This ensures that the storage account can only be accessed via the private endpoint.
Step 3: Set Up a Private Endpoint
Create a private endpoint for the storage account. This will create a network interface in your virtual network, which is assigned a private IP address from your virtual network’s address space.
Step 4: Configure Private DNS Zone
Create a Private DNS Zone, for example, privatelink.blob.core.windows.net. This zone will contain the DNS records for the private endpoint.
Step 5: Link the Private DNS Zone to the Virtual Network
Link the Private DNS Zone to the virtual network where your private endpoint is created. This allows resources in the virtual network to resolve the private endpoint’s DNS name to its private IP address.
Step 6: Create DNS Records
Azure will automatically create the necessary DNS records in the Private DNS Zone. These records map the storage account’s private endpoint to its private IP address.
Step 7: Set Up a Virtual Machine for Testing
Create a virtual machine in the same virtual network. This VM will be used to test the DNS resolution and connectivity to the storage account via the private endpoint.
Step 8: Test DNS Resolution from the Virtual Machine
From the virtual machine, use nslookup or a similar tool to test the DNS resolution of the storage account’s name. It should resolve to the private IP address of the private endpoint.
Step-by-Step Guide to Setting Up DNS Resolution from On-Prem
Assuming you have previously setup the storage account and private endpoint from the previous guide, you will need to configure the following to allow DNS resolution from on-perm.
Explanation of Features and Their Usage
VPN Connection
A VPN Connection in Azure is a secure way to connect your on-premises network to your Azure virtual network. It’s typically used in hybrid cloud scenarios where you need to extend your on-premises network into Azure. Here’s a brief overview of the steps involved in setting up a site-to-site VPN connection:
- Create a Virtual Network: This is the network in Azure that you want to connect to.
- Create a VPN Gateway: This is the Azure resource that will manage the VPN connection.
- Create a Local Network Gateway: This represents your on-premises network and its VPN device.
- Create the VPN Connection: This establishes the connection between the VPN Gateway and the Local Network Gateway.
- Verify the Connection: Ensure that the connection is established and traffic can flow between the networks.
The VPN connection uses industry-standard protocols like IPsec and IKE to ensure the security and integrity of the data being transmitted over the connection.
Private DNS Resolver
The Azure DNS Private Resolver is a service that provides DNS resolution for private endpoints. It’s particularly useful in scenarios where you have resources in Azure that need to resolve DNS names to private IP addresses. Here’s how it works:
- Inbound Endpoints: These endpoints receive DNS queries from on-premises or other private locations.
- Outbound Endpoints: These endpoints can forward DNS queries to on-premises, other cloud providers, or external DNS servers based on a ruleset.
- DNS Forwarding Ruleset: This is a set of rules that define how DNS queries should be forwarded.
The Private DNS Resolver allows you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM-based DNS servers. It’s a fully managed service, which means you don’t have to worry about maintenance or high availability.
Conditional Forwarder
A Conditional Forwarder is a configuration on a DNS server that forwards DNS queries for a specific domain to a designated DNS server. In the context of Azure, you can configure your on-premises DNS server to forward queries for Azure private DNS zones to the Azure DNS Private Resolver. This is useful for hybrid DNS resolution scenarios. Here’s how you might set it up:
- Domain Name: The domain for which queries should be forwarded (e.g., privatelink.blob.core.windows.net).
- Forwarder IP Address: The IP address of the DNS server to which queries should be forwarded. This would be the IP address of the inbound endpoint of the Azure DNS Private Resolver.
By using a conditional forwarder, you can ensure that DNS queries for Azure resources are resolved correctly, even from on-premises environments.
Step 1: Establish a VPN Connection
Set up a VPN connection between your on-premises network and your Azure virtual network. This will allow secure communication between the two environments.
Step 2: Set Up a Private DNS Resolver
Deploy an Azure Private DNS Resolver in your virtual network. The resolver will have an inbound endpoint for DNS queries from on-premises and an optional outbound endpoint for DNS queries to on-premises.
Step 3: Configure Conditional Forwarders on the On-Premises DNS Server
On your on-premises DNS server, configure a conditional forwarder for the Private DNS Zone. Point the forwarder to the private IP address of the inbound endpoint of the Azure Private DNS Resolver.
Step 4: Test DNS Resolution from On-Premises
From an on-premises machine, use nslookup or a similar tool to test the DNS resolution of the storage account’s name. It should resolve to the private IP address of the private endpoint.
Step 5: Verify Connectivity
Verify that you can connect to the storage account from an on-premises machine. The connection should be established via the private endpoint.
By following these steps, you can ensure that DNS resolution for your storage account is handled securely and efficiently, with all traffic remaining within the Azure network and you’re on-premises network. This setup provides a secure and reliable way to access your storage account from on-premises.
By following these steps, you can set up a private endpoint for a storage account in Azure and configure DNS resolution for it using Private DNS Zones. This setup ensures that all traffic to the storage account remains within the Azure network, providing a secure and efficient way to access your storage account.
Below you will find our video that this article is based off which will give you a further guide and demo into this setup.
Check out our Video here on our YouTube channel Don’t forget to subscribe to see our latest videos and keep updated with us and Azure.
Stay connected with LA NET
Stay connected with us on LinkedIn and YouTube for more tips and updates. Download our new eBook for an in-depth guide on optimising your Azure environment.
● LinkedIn: Follow us on LinkedIn
● YouTube: Subscribe to our YouTube Channel
● E-Book: Download our E-Book
Follow us on LinkedIn