Share via

How azure frontend works with private endpoint from on-premise network.

Sudarshan Bhamare 0 Reputation points
2025-09-18T12:15:25.47+00:00

How azure portal able to connect to azure services that are using privte endoint. How azure send request from browser to private endpoint network. What is required to whitelist in on-prem firewall and proxy?

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 9,245 Reputation points Microsoft External Staff Moderator
    2025-09-18T12:57:19.2033333+00:00

    Hello Sudarshan Bhamare
    I understand that you need clarification on how to set up private connectivity to your storage account for your on-premises users.

    A private endpoint establishes a network interface with a private IP address from your virtual network. This enables secure connections to Azure services through Azure Private Link, making those services accessible within your virtual network.

    When you access an Azure service from your browser using a private endpoint, your request is directed through the private link. To support this, DNS settings in your virtual network should resolve the service’s hostname to its private IP address rather than a public one. This setup keeps your traffic secure and private, avoiding the public internet.
    Check the below document for more understanding:
    https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview

    Check the below main steps to establish a private connectivity:

    Also, let me know which DNS you are using in the private endpoint VNET - Azure provided or custom DNS.

    If you are using custom DNS, you need to set a forwarder in the custom DNS server machine point to azure DNS IP (168.63.129.16.). And also, please confirm whether the custom DNS and private endpoint are in the same VNET or different VNETs, and check in the private DNS zone VNET's are linked properly.

    If you are connecting from on-premises, you need to configure a conditional forwarder in the on-prem DNS server machine to point to the private DNS resolver inbound IP. Additionally, you need to configure the private DNS resolver inside Azure.

    you are not ready to use a private DNS resolver; you need to configure a VM as a DNS server instead. Then, set up a conditional forwarder in the on-prem DNS server machine to point to the VM's private IP.

    Check the below reference document:

    https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.