Hey everyone, I'm trying to sort out an issue with our Azure storage account. We have a blob Private Endpoint and have set up a Private DNS Zone for blob.core.windows.net, along with an on-prem DNS Forwarder that links to our Azure Private DNS Resolver. However, when I run a traceroute from our on-prem setup to the storage account's FQDN, it correctly follows the Private Peering of our Express Route. But when I try to access the storage account through the Azure portal, it's still using the Microsoft Peering instead of the Private Endpoint. This requires us to whitelist our public addresses tied to the Microsoft Peering just to access it via the portal. Our admins want exclusive access through Private Endpoints. Can anyone help me figure out how to resolve this? Is what I'm trying to do feasible? Let me know if you need more details!
2 Answers
First off, try opening your browser's developer tools (hit F12), and use the network monitor to check what’s happening when you ping your storage URLs. They should resolve to internal IPs. Double-check your DNS settings on-prem to make sure they are consistently using the private DNS records.
A heads up: when you access the portal, your computer is making API calls which means your on-prem DNS needs to correctly forward to your private DNS records. If it isn’t set up right, it will default to the public DNS zone accessible globally. You might want to refer to the Azure documentation on private endpoint DNS integration for deeper insights.
Totally! It’s interesting how you can look at a problem logically, then the solution hits you like a revelation. Makes you rethink everything!