Hi Team,
I have setup a point to site VPN connection from my laptop to VNet using Azure Virtual Network Gateway. The VPN connection works fine and I am able to access the VM’s present in the VNet using the private IP.
I have also created a Key Vault with private link support so that I can access the key vault from my laptop using VPN. From the VNet VM, the Key Vault DNS record (.vault.azure.net) is correctly resolving to internal IP address.
But from my laptop the DNS name “.vault.azure.net” is not resolving to private IP. It is able to get the private DNS zone CNAME record ie “.privatelink.vaultcore.azure.net” but not resolving to the private IP of the endpoint.
Seems like it is not able to contact the private DNS zone from the laptop for resolving the CNAME record.
I read that, we need to configure a DNS forwarder in the VNet which will forward the dns queries to the azure DNS “168.63.129.16” for this to work.
My doubts are,
- Other than configuring the DNS forwarder in a VM, is there is any other option available as the VM unavailability cause DNS query issues.
- Whether this issue is present in the Site-to-Site VPN connection also?
- How to configure the DNS forwarder IP in my StrongSwan Network Manager GUI configurations? ( I tried adding the DNS server address, but it is not taking the DNS server IP)
Could you please help me in this.
Point to site VPNs in Azure do not honor private DNS zones from within azure.
In order to properly resolve those records; DNS must be controlled manually (Windows DNS server role, BIND, etc.) by setting the vNet’s DNS from automatic to the IP of your DNS solution.
This will then be inherited for your incoming VPN connections.
(Be sure to set the forwarders to Azure’s DNS on your DNS server so that if its unable to resolve your manual overrides; it will resolve all other resources fine.)
It does work. I connect to Azure using P2S VPN with AAD authentication.
1-You could set up Azure Firewall (or any VM that can act as a DNS server) to act as the DNS proxy to the Azure DNS address 168.63.129.16.
2-Link all of your Azure Private DNS zones to the Azure Firewall VNET.
3-Now configure your VPN clients with the Azure Firewall IP address as their DNS server as per this: Configure Azure VPN Client - Microsoft Entra ID authentication - Microsoft-registered App ID - Windows - Azure VPN Gateway | Microsoft Learn
4-Then they will be querying DNS servers that know about the privatelink zones….
To be able to access private endpoint by its DNS you’ll need to use a DNS forwarder for resolving from non-Azure environment. Wrote about such kind of scenario - https://github.com/groovy-sky/azure/tree/master/paas-vnet-02#integrate-platform-as-a-services-with-virtual-networks-part-3
I’ll add to this - for this to work for me (we use azure ad ds for the DNS servers" I had to implement a forwarder on my DNS server
Hi u/PlowNetworks,
Thanks for the reply.
I have also configured a site to site VPN using Azure VNet Gateway and StrongSwan (AWS EC2 side). But in this case also the private DNS zone name resolution is not happening from the AWS side.
So by default, for both P2S and S2S, the private DNS zone resolution will not work? or is it because of any configuration.
Could you please update
n Azure do not honor private DNS zones from within azure.
In order to properly resolve those records; DNS must be controlled manually (Windows DNS server role, BIND, etc.) by setting the vNet’s DNS from automatic to the IP of your DNS solutio
Hi u/r_stra,
I am using IKEv2 and StrongSwan Network Manager GUI interface on Ubuntu for the VPN connection. I have added the DNS forwarder IP as the DNS server on the VPN configuration but it is not setting the DNS server. The DNS server is still showing as my local DNS only. (systemd-resolve --status)
If I manually try to resolve the pvt link dns name using the DNS forwarder IP from my laptop (dig @<dns_fwdr_ip> <pvt_link_dns_record> +short), it is correctly resolving to the internal IP.
Hi u/groovy-sky,
Thank for the doc link. I have read the doc and it is having the all the required details.