Join Log in
Score:-1
thebluephantom avatar Server

Address to be used to access private ipaddress for AZURE resource from on-premise

cn flag
thebluephantom

I can see how we can make an AZURE database, say COSMOS DB, a private IP address with Private link, that is fine.

If you want to access that private link / IP address database from on-premise via site2site vpn, with a tool like Spotfire or Tableau, how do we specify the connection string that goes via the ExpressRoute or Site2SiteVPN? I cannot find any examples on that and how that occurs.

It must be basic, but I cannot see it.

Update

Looking at this: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

enter image description here

I get the impression that the name "azsql1.database.windows.net" would be the connection string I need?

128
1 + 5
in flag
Lutz Willek
Please be more specific. Instead "AZURE database" please specify which database you are using, see https://azure.microsoft.com/en-us/product-categories/databases/ for a selection. Are you able to reach the VNET configured in your azure subscription from on-prem via [ExpressRoute](https://azure.microsoft.com/en-us/services/expressroute/) or [Site2Site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/) A better phrased question would increase the likelihood of a good answer.
0
Reply
thebluephantom avatar
cn flag
thebluephantom
@LutzWillek added cosmosdb but SQL Server equally. Edited plus one more.
0
Reply
thebluephantom avatar
cn flag
thebluephantom
@LutzWillek Thx. I get the overall concept, but I am looking for what aspect of all that jazz that I should I use as the "connect string", using, say, Spotfire on-premise to access the cosmosdb? It seems all quite elaborate.
0
Reply
thebluephantom avatar
cn flag
thebluephantom
@LutzWillek updated question
0
Reply
in flag
Lutz Willek
Yes of cause either the DNS name or the IP address of the private link endpoint. So according to the picture added, either `azsql1.database.windows.net` or `10.5.0.5`.
0
Reply
Score:0
avatar Server
in flag
Lutz Willek

Private Link allows to access an Azure Cosmos account from within the virtual network or from any peered virtual network. Resources mapped to Private Link are also accessible on-premises over private peering through VPN or Azure ExpressRoute.

Read access from a virtual network first to learn the basic knowledge. Make sure you configured an Azure Private Link for an Azure Cosmos account.

By default, an Azure Cosmos account is accessible from any source if the request is accompanied by a valid authorization token. Trouble? Check firewall for Azure Cosmos DB.

You can connect by using the automatic or manual approval method.

So according to the picture you added to the question, both azsql1.database.windows.net or 10.5.0.5 would be adequate.

When connecting to a private link resource using a fully qualified domain name (FQDN) as part of the connection string, it's important to correctly configure your DNS settings to resolve to the given private IP address. Existing Azure services might already have a DNS configuration to use when connecting over a public endpoint. This configuration must be overwritten to connect using your private endpoint. One way to archive this is to use Azure DNS as the DNS resolver - for example via configured DNS forwarder.

0 + 7
br flag
Greg W
azsql1.database.windows.net will only resolve to the private link IP if you’re using Azure DNS as the DNS resolver. From the public Internet’s point of view, it’ll return the regular public IP of the Cosmos DB instance.
0
Reply
in flag
Lutz Willek
Thanks @GregW for your comment - you are right! Initially I thought this restriction would be clearly enough described, as it was mentioned in the question and also in the documentation I linked. However, you comment demonstrated me that it was not the case, so I added a section to clarify it. Thanks!
0
Reply
thebluephantom avatar
cn flag
thebluephantom
Yes of course either the DNS name or the IP address of the private link endpoint. So according to the picture added, either azsql1.database.windows.net or 10.5.0.5. I am wondering whether that is correct if I have 2 corporate accounts in AZURE set up exactly the same.
0
Reply
br flag
Greg W
@thebluephantom it all depends on DNS resolution. The only time azsql1.database.windows.net will resolve to 10.5.0.5 is on the VNET (or peer VNET) with private link and the private link zone is linked to the VNET. Essentially, when you’re on that private DNS-linked VNET, the DNS resolution is as follows: azsql1.database.windows.net will be a CNAME pointer to azsql1.private.database.windows.net, which resolves to 10.5.0.5. You need a conditional DNS forwarder on the VNET for .private.database.windows.net to forward to 168.63.129.16 and your on prem DNS to use that.
1
Reply
thebluephantom avatar
cn flag
thebluephantom
@GregW I think you should have answered the question! I am not sure the answer on 10.5.0.5 is in fact correct now. I think I have the gist, were it not I am wondering how Tableau knows which azure instance to use.
0
Reply
br flag
Greg W
It’s more knowing how private DNS zones work with linking to VNETs and Azure DNS resolution. At the end of the day, you can create any DNS entry in your on-prem DNS that points to 10.5.0.5 and it’ll work. It just won’t update if that private IP changes (say, if you remove, then re-add the private endpoint).
1
Reply
thebluephantom avatar
cn flag
thebluephantom
@GregW Slight abberation my side, forgot the with DNS must be all unique, it happens
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.