Hey everyone, I've set up an Azure SQL Database with a Private Endpoint in my VNet, and it's all working perfectly from the VMs within the same network. But, I'm facing an issue when connecting via our Azure route-based VPN. The clients can't resolve the SQL Database to its private IP; it keeps coming up with the public IP instead. Here's a quick rundown of what I've done:
- Created a SQL Database private endpoint that's integrated with a Private DNS Zone (privatelink.database.windows.net).
- VMs inside the VNet can resolve the private IP and connect just fine.
- VPN clients connect through a route-based Azure VPN (Point-to-Site).
- I tried setting up a DNS forwarder VM inside Azure to direct privatelink.database.windows.net to 168.63.129.16.
- I've flushed my DNS cache, reconnected the VPN, and even rebooted the clients.
The issue remains: my VPN clients still resolve the database URL to the public IP instead of the private one. I'm wondering:
1. Is there a DNS setup step I'm missing for the Azure VPN clients to resolve private endpoints?
2. Do I need to link the private DNS zone to the VPN gateway VNet or just the one with the private endpoint?
3. Are there any specific settings needed for route-based VPNs to handle Private Endpoint DNS resolution?
Any insights, tips, or examples would be greatly appreciated! Thanks!
1 Answer
It sounds like a DNS issue. You'll need a private DNS resolver set up to create a conditional forwarder for the SQL service's FQDN. Just remember that Azure’s built-in DNS can only be queried from within Azure itself. Make sure the DNS forwarder VM uses Azure DNS as the DNS server! Also, definitely check if you've got a conditional forwarder for the whole database.windows.net zone.
Thanks for your quick response! I’ll definitely give that a shot!