Navigating the Azure Cloud: Key Considerations for Harnessing DNS with Azure Private Endpoints

One powerful tool that Azure offers to enhance security and privacy is the Azure Private Endpoint DNS. This innovative feature allows organizations to establish a private and secure connection to their Azure services, minimizing exposure to potential threats and breaches. This blog will highlight some considerations to be aware of when utilizing it.

What are Azure Private Endpoints?

Azure Private Endpoints are a feature provided by Microsoft Azure that enables you to securely access Azure services (such as Azure Storage, Azure SQL Database, Azure Cosmos DB, and more) over a private network connection. With Azure Private Endpoints, you can connect to these services without exposing them to the public internet, enhancing security, privacy, and compliance.

Learn more at What is a private endpoint?

What are Azure Service Endpoints?

An Azure Service Endpoint are a feature in Microsoft Azure that allows you to extend your virtual network’s private address space to specific Azure services without exposing the services to the public internet. This provides a more secure and controlled way to access Azure services over a private network connection rather than using a public endpoint.

The benefit of an Azure Service endpoint is that it uses an optimized route over the Azure backbone network. Unfortunately this still means that the endpoint is accessible with a public DNS entry.

Learn more at Virtual Network Service Endpoint Overview

Azure Private Endpoint DNS

When using Azure Private Endpoints you are provided a private IP address for your service which allows you to access it over a private connection. Once this is done, you want to make sure you use DNS to connect to it in case the IP needs to change.

When creating DNS you have three options

1. Use a host file (Not Recommended)
2. Use a private DNS zone
3. Use your DNS forwarder

Learn more at Azure Private Endpoint DNS Configuration

DNS Zone Considerations

Option 2 above is the most ideal setup. However, you need to be aware of the appropriate DNS zone to use. I was recently working with a customer using Azure Keyvault and they used private endpoints. Their DNS was setup to use a private zone. However instead of it being configured with the private zone DNS name, the public DNS zones were being used. This meant that when a solution uses a non-private endpoint the services were not able to resolved.

To correct this the DNS zones should be corrected to account for this. There were two options:

1. Rely on DNS forwarders to use the vault.azure.net or vaultcore.azure.net
2. Reconfigure the private DNS zone to use the correct FQDN of privatelink.vaultcore.azure.net

Once this was remediated, both private and public DNS entries for keyvault were able to be appropriately resolved.

Conclusion

It is very important to understand the differences of service endpoints and private endpoints. It is also best to understand when using these services how does DNS and the appropriate network services interact.

I hope this blog helped you learn something new and look forward to the next one!

See Also

• Using Bicep to Deploy a Microsoft SQL on Azure VM with Cloud Block Store Volumes
• Using Bicep to Deploy an Azure Virtual Machine
• Understanding Block Storage in Microsoft Azure
• Pure Cloud Block Store on Azure - Quick Launch
• Using the Pure Storage Cloud Block Store Terraform Provider for Azure