We’ve configured a private endpoint for our Azure Blob Storage account to secure access from our on-premises network via Site-to-Site VPN. The private endpoint was created successfully in our hub VNet, and we can access the storage from Azure VMs without issues. However, on-premises clients can’t resolve the storage account’s private endpoint DNS name.
When testing from on-prem:
nslookup mystorageacct.blob.core.windows.net
Server: 10.50.1.10
Address: 10.50.1.10#53
Name: mystorageacct.blob.core.windows.net
Address: 20.38.147.52 (public IP)
Expected the private IP (10.100.2.15) but getting public IP instead. Our on-premises DNS servers are configured to forward Azure DNS queries, but something isn’t working correctly. The private endpoint shows as “Approved” in the portal, and the private DNS zone (privatelink.blob.core.windows.net) is linked to the hub VNet. Need help understanding the DNS resolution path for hybrid network integration with private endpoints.
Quick tip: when setting up the conditional forwarders on your on-prem DNS, you need separate forwarders for each Azure service you’re using private endpoints with - blob.core.windows.net forwards to one set, dfs.core.windows.net to another, etc. The privatelink subdomain is what gets forwarded, not the base domain.
One important detail - make sure your VPN gateway subnet has proper routing to reach the DNS forwarder VMs. Also verify that your Network Security Groups (NSGs) on the forwarder VMs allow inbound DNS traffic (port 53 TCP/UDP) from your on-premises IP ranges. I’ve seen cases where the NSG was blocking DNS queries even though the routing was correct.
The issue is that your on-premises DNS servers are resolving the public FQDN directly instead of going through Azure Private DNS. For private endpoints to work from on-prem, you need to configure conditional forwarders on your on-premises DNS servers to forward queries for privatelink.blob.core.windows.net to Azure DNS (168.63.129.16). This requires your VPN connection to allow traffic to Azure’s internal DNS resolver.