2

Right now I'm creating some private endpoints for a number of Azure Storage services. There are two storage accounts, for the first I create a blob endpoint and a queue endpoint. For the second account I create a blob endpoint and a dfs endpoint.

When I try connecting to the endpoints from a machine outside of the VNET using the regular connection strings (that now point to the privatelink resources), I seem to not be able to reach the resource as expected. Trying to connect to it from a VM and an AKS cluster within the same VNET as the private endpoints, I am able to connect.

If these are basically my only use cases, and I'm ok using the default names to connect to the private endpoint resources, is it OK to not create a private DNS zone?

It is a bit unclear to me from the documentation whether this is a necessity.

Tim
  • 147
  • 8

1 Answers1

4

By using private link you create an endpoint into your vnet/subnet. The private DNS is linked to your vnet and allows you to direct the traffic to that private endpoint (e.g. 10.1.0.4) by using the storage domain.

It's not nessecary to have that private DNS. But that means you'll need to connect directly to private ip address of that endpoint. While that is technically possible you'll likely run into some issues such as the server not knowing which domain is requested without host header and issues with the SSL certificate.

I would therefore recommended always using the private DNS.

NotFound
  • 5,005
  • 2
  • 13
  • 33