I'm working as a DBA/DevOps for a small company, but we don't have a dedicated network person, which can be challenging. We have around 29 Resource Groups (RGs), and each has its own VNET and virtual network gateway (Gen2). We're using OpenVPN (SSL) with Microsoft Entra ID for authentication. Each RG contains an Azure SQL database, which includes a virtual server. We've set up private endpoints to create private IPs for traffic on the VNET. I expected that connecting to the VPN would mean that .database.windows.net would resolve to the private IPs, but it keeps resolving to a public IP. It seems that my machine is still using my local DNS from my ISP. I would love some guidance on how to route DNS through the VPN to resolve to the private IP properly, as the only workaround I've found is manually adding entries to our hosts files, which is not ideal. I attempted to adjust settings based on suggestions from Claude, including editing the VPN XML file and setting up a private DNS resolver, but nothing has worked so far. Any help would be greatly appreciated!
2 Answers
29 gateways for each resource group seems excessive. That's a lot of expense and complexity to keep track of! Are you sure you need them all separate? It might be worth considering consolidating them if you can manage the customer access properly.
You should create a private DNS zone and attach it to the VNET where your VPN gateway is located. For example, use something like privatelink.yourinstance.database.windows.net. When you create the private link, it should also update the DNS zone accordingly, so check if it’s already set up!
It does exist! It was likely created when I set up the private endpoint. It’s privatelink.database.windows.net, and I see an A record for my server with the right IP address. There’s also a VNET link on the private DNS zone associated with it, which Claude mentioned is necessary. I didn’t create that link manually, so it should have been taken care of during the private endpoint setup.
Each RG is per customer since we want to avoid cross-access. Keeping things isolated has its benefits, even if it is a bit complicated.