The VPN is in an Azure Virtual WAN Hub, and I have an on-premises Site-to-Site connection and peered virtual networks in Azure virtual wan hub. Web Apps are configured with a private endpoint in one of the peered virtual networks to Virtual wan hub. Point-to-site vpn is configured with on-premise dns server ip, azure firewall private ip as dns server. Virtual wan - hub is connected to virtual networks in azure and private endpoints are created in one of the subnets of this connected virtual networks. No NSG, Firewall rules to block traffic from subnets and in virtual hub. when i am connected to azure vpn point to site, and ping the web app - resolving to public ip of web app. i have configured private dns zone for privatelink.azurewebsites.net and also added A record in my privatednszone myzone.com i can resolve private endpoint ip address when i am connected via VM in one of the peered virtual networks. Current network: Virtual wan - 1 hub, 2 virtual networks connected to virtual wan hub, SIte-to-site vpn, point-to-site vpn, web apps (enabled with private endpoint - connected to one of the virtual networks subnet), SQL servers (enabled with private endpoint - connected to one of the virtual networks subnet) Private dns zone in azure connected to vnet peered with virtual wan hub.

I am having trouble connecting from an Azure Point-to-Site VPN to an Azure Web App via private endpoint.

kvidhul-3447 20

The VPN is in an Azure Virtual WAN Hub, and I have an on-premises Site-to-Site connection and peered virtual networks in Azure virtual wan hub. Web Apps are configured with a private endpoint in one of the peered virtual networks to Virtual wan hub.

Point-to-site vpn is configured with on-premise dns server ip, azure firewall private ip as dns server.
Virtual wan - hub is connected to virtual networks in azure and private endpoints are created in one of the subnets of this connected virtual networks.
No NSG, Firewall rules to block traffic from subnets and in virtual hub.
when i am connected to azure vpn point to site, and ping the web app - resolving to public ip of web app.
i have configured private dns zone for privatelink.azurewebsites.net and also added A record in my privatednszone myzone.com
i can resolve private endpoint ip address when i am connected via VM in one of the peered virtual networks.

Current network:

Virtual wan - 1 hub, 2 virtual networks connected to virtual wan hub, SIte-to-site vpn, point-to-site vpn,

web apps (enabled with private endpoint - connected to one of the virtual networks subnet), SQL servers (enabled with private endpoint - connected to one of the virtual networks subnet)

Private dns zone in azure connected to vnet peered with virtual wan hub.

KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-07-31T05:01:09.6366667+00:00
@kvidhul ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to connect to Private EndPoints from P2S Clients in a vWAN scenario.

Since you mentioned, "i can resolve private endpoint ip address when i am connected via VM in one of the peered virtual networks." and "azure firewall private ip as dns server"

I take it that you have DNS Proxy enabled and also have a custom DNS server configured in the Azure Firewall

i.e.

And also, in the VNET you have specified DNS as the IP of the Firewall

Azure Firewall Private IP as DNS server would not be able to resolve the Private DNS Zones if it's using Default (Azure provided) in vHub

Can you confirm if the above observations are correct?

If not, please let me know

I see you have mentioned, "Point-to-site vpn is configured with on-premise dns server ip, azure firewall private ip as dns server"

I believe you have configured custom DNS servers in the P2S Configuration file?

Let me know if this is incorrect

Can you confirm you also added DNS suffixes ?

You should use the domain of the PaaS Service without the "privatelink" prefix

i.e., you should use ".azurewebsites.net" and not ".privatelink.azurewebsites.net"

May I ask why the "on-premise dns server ip" is added?

Does the OnPrem DNS Server capable of resolving the private endpoint FQDNs?

If not, only use the DNS Server in Azure (Azure Firewall private IP)

For more details on how to set this up, see Private endpoints in Azure Virtual WAN.

Kindly answer all the above queries so that we can get a better understanding of your environment

Cheers,

Kapil
kvidhul-3447 20 Reputation points

2024-08-02T02:11:51.2166667+00:00
Hi KapilAnanth,

Yes, your assumption is correct DNS proxy is enabled and custom dns ips (On-Premise dns server ip) is using for azure firewall and Vnet is using azure firewall private ip as dns server.

So i am using cutom dns ip of on-prem server and azure firewall for vnet dns server, p2s vpn dns configuration.

I have configured custom dns servers for p2s clients from virtual hub "User VPN (point to site) dns configuration settings.

Yes Dns suffixes also included in p2s clients .xml file

<clientconfig>

<dnssuffixes> <dnssuffix>.azurewebsites.net</dnssuffix> </dnssuffixes>

</clientconfig>

Yes, using on-prem dns server ip because legacy applications hosted on-prem which are accessible only on private network. So using it to reach this applications.

Also configured p2s vpn clients to reach internet via azure firewall (InternetSecurtiyFlag -enabled)

I have private dns zone mydnszone.com, privatelink.azurewebsites.net dns zones. i have added A records for custom domains of webapps in mydnszone.com. Still i cannot able to reach webapps from p2s client vpn, even sql servers as well.
kvidhul-3447 20 Reputation points

2024-08-02T02:23:10.0333333+00:00

Thank you for quick response,
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-02T13:10:55.1166667+00:00
@kvidhul ,

Thanks for sharing the details.

As next steps,

You can try removing the OnPrem DNS IP from the custom DNS Servers and give it a try

If this is not possible, try changing the order of the DNS Servers and make the Private DNS Resolver's Inbound endpoint IP first

Connect to the P2S and open Powershell to run

nslookup <WebAppFQDN> <Inbound endpoint IP>

nslookup <WebAppFQDN>

ping <WebAppFQDN>

For debugging, add the IP of the Private endpoint and FQDN in the Host file

Once done, try connecting to the WebApp - see if this works

Open CMD and run ping <WebAppFQDN>

Please share the outcome from above

Cheers,

Kapil
kvidhul-3447 20 Reputation points

2024-08-07T00:34:52.14+00:00

As per your instructions i have created test resources in a new environment and removed dns servers (used azue provided dns option) and below are the test parameters.

i can RDP to VMs in the vnets using private ip of VMs.

webapp privateink ip 10.0.0.4 (vnet ip address range 10.0.0.0/24) is included in p2s client.

Webapp is still not reachable ping returns public ip, unable to resolve using privatelink.

Vnet-01 - 10.0.0.0/24 with default subnet

Webapp networking with private endpoint and public access disabled.

Azure vpn client is configured to reach vnet ip address range

From my machine with Vpn client is connected

Still no private endpoint ip

Connected to a VM in vnet-01 via private ip and webapp is accessible from the VM.

Also tested with configuring custom dns in Vnet-01 and p2s VPN client

10.0.0.8, 10.0.0.9 are Vnet ip's used as dns server is and 10.5.64.4 is firewall private ip.

In both the configurations (with azure provided dns and custom dns) still cannot able to ping webapp on private endpoint ip.
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-07T12:07:40.64+00:00
@kvidhul Thanks for sharing the details.

As next steps,

Connect to the P2S VPN and run the following commands and share the results.

nslookup <WebAppFQDN> 10.0.0.8

nslookup <WebAppFQDN> 10.0.0.9

nslookup <WebAppFQDN> 10.5.64.4

From the VM in the VNET, run the same and share the results please.

Looking at your configuration, for P2S scenario the DNS request never went across the P2S Tunnel

As we can see the DNS Sever used is 192.x.x.x

Also, I don't understand why you tested with 10.0.0.4 IP - as this not a DNS server.

I believe this is because of a miscommunication from my end where I mentioned "<Inbound endpoint IP>"

Apologies, I was under the impression that you are using Azure Private DNS Resolver's Inbound endPoint

Cheers,

Kapil
kvidhul-3447 20 Reputation points

2024-08-07T23:39:50.75+00:00

Yeah, that was a mistake and i removed 10.0.0.4 as dns server ip.

also i ran nslookup in VM with all the ips but it returned timeout, vm is communicating with web app via private endpoint ip with azure dns server 168.63.129.16.

But when on p2s client i cannot resolve with 168.63.129.16 dns as well.
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-08T08:56:04.0933333+00:00
@kvidhul ,

Thanks for the update.

Wrt "i ran nslookup in VM with all the ips but it returned timeout"

This simply means you are not using any custom DNS Servers.

This also means 10.0.0.8 and 10.0.0.9, which you mentioned as custom DNS Servers are not working.

Wrt, "But when on p2s client i cannot resolve with 168.63.129.16 dns as well"

This is expected.

The IP address 168.63.129.16 is a virtual public IP address and you cannot use it as a DNS Server for workloads outside Azure VNET, even P2S Clients.

As next steps,

Consider using a custom DNS Server in Azure

Or Azure Private DNS Resolver

This is the recommended one

See : Azure Private Resolver for on-premises/P2S workloads

Hope this clarifies.

To summarize, you never had a custom DNS Server in Azure that is capable of resolving the Private DNS Records

Cheers,

Kapil
kvidhul-3447 20 Reputation points

2024-08-08T23:40:43.33+00:00

that being said, i have also another scenario with virtual network gateway in a vnet, where i can reach the webapp with p2s client in virtual network gateway (of vnet)

it resolves to ********.cloudapp.net

Vnet range - 10.10.0.0/16 it has custom dns ips 10.10.0.4 and 10.10.0.5

Is there a way to avoid private dns resolver or vm as it adds to more cost.
KapilAnanth-MSFT 46,016 Reputation points Microsoft Employee

2024-08-09T09:28:38.62+00:00
@kvidhul , you are contradicting with your statements.

You mentioned

"i ran nslookup in VM with all the ips but it returned timeout, vm is communicating with web app via private endpoint ip with azure dns server 168.63.129.16."

This means the DNS is being provided by 168.63.129.16 and not any custom DNS Servers.

Firstly, can you please confirm whether or not 10.10.0.4 and 10.10.0.5 are DNS Servers? And are working or not?

If not, then you have to use either Azure Private Resolver or a custom DNS Server

If yes, you can continue to use the above DNS Servers, with a forward Zone pointing ".azurewebsites.net." to the 168.63.129.16

The above are the available options for Production workloads.

For Test workload, you can add a Host file entry in the P2S Clients so the webApp FQDN is resolved locally.

Also, wrt "it resolves to xxxxx.cloudapp."

Isn't this wrong?

Shouldn't webApp resolve to "xxxxx.azurewebsites.net." ?

Hope this clarifies

Cheers,

Kapil