Hi,
I have an Azure files setup and it’s set to be private so it will deny logins to anyone attempting to sign in outside of the network - great. I now need to be able to access the storage via the VPN connection. At the moment every time I attempt to connect I get an access denied message.
Is what I want to do possible? If so, how please?
Probably DNS. Check the IP of your storage account while on vpn, if it’s the public IP, it be DNS, if it’s private IP it’s something else.
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#dns-configuration-scenarios
To reach a private Endpoint from OnPrem you need a dns forwarder in azure and a conditional forwarder in the local DNS or you just hardwire the FQDN of the azure service to the private IP of the Pep in the host file or your local dns
Chiming in here in case anybody finds this…
Had a similar issue using the Azure (OpenVPN) P2S VPN with Microsoft Entra Kerberos for identity-based authentication where I have an Azure VM running old school AD, syncing hybrid identities to Entra ID.
I ended up modifying my Azure OpenVPN .xml file (downloaded from the P2S Connections, imported to make sure it worked, exported it, edited it as follows):
168.63.129.1632<dnsservers>
168.63.129.16
.core.windows.net
</clientconfig>
This adds a route so that this fancy Microsoft jack-of-all-trades public IP (168.63.129.16) gets routed over the vnet, so that the split DNS works (thanks to the dnssuffixes entries) and the .privatelink.file.core.windows.net now resolves to the actual Private Endpoint private IP address (in my case, 10.0.0.4).
Performing an nslookup to the storage account returns a public when connected to the VPN.
I can’t see where in DNS it would be. I’ve checked the private dns config in Azure and the only reference to the storage account has an A record with the internal IP address.
This. In a nutshell.
The issue sounds like you need DNS setting up to resolve the private endpoint addresses and private DNS zone that was setup with the associated records.
We don’t have any on-prem (fully cloud) and have a VM with the DNS role installed (someone set that up before my time) Our P2S VPN client points to this DNS server to resolve lookup zones we set up relating to the private DNS zones. DNS server essentially acts as a forwarder to the endpoints. Works nicely.
I more so meant ping to see what your client is getting back.
What dns server are you using on your client?
168.63.129.16 is the dns server you should be using.
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
The test-connection fails to 168.63.129.16 on port 80, so that’s something I need to investigate.
Not sure why you are testing 80, 53 is dns.
Brain fart moment, I started work some 14 hours ago!