So I have a SQL PaaS Server in Azure, typically you connect to it using the server name which is a domain name that resolves to a public IP address. Now we have disabled public access, so we connect to it via a Private Endpoint.
Private Endpoints link the Azure Virtual Network (vnet), and our network config is done so the routing tables send the traffic to the correct location via SD-WAN etc. Connecting to the SQL Database is done via the server name, but that resolves to a public IP, which I can’t use, due to public access being disabled.
Enabling Private Endpoints creates this private DNS alias, if public access was still enabled then this alias would not exist. So in Azure, you can have Private DNS Zones which use Azure’s own DNS servers and services. We don’t use Private DNS for the virtual network in production, we use our own DNS servers in AD.
If I do a nslookup on the server name you will see it has an alias with the zone I need to add.
When you do the nslookup for the main server name sql-server.datbase.windows.net, it resolves to the alias sql-server.privatelink.database.windows.net.
So by creating the zone in our DNS servers in AD, Azure will look at this zone and return the private IP I need of 10.X.X.X for sql-server.privatelink.database.windows.net. Now because it's an alias looking up the original server name will then eventually return my private IP.
The reason Microsoft does it this way is so if you wanted public access back again, Azure would add/remove this alias address providing you the correct IP you need.
Hope that helps.
For more information, see the original Microsoft community support post I made, along with a very useful video on Azure DNS in relation to Private Endpoints,
No comments:
Post a Comment