I've created an Azure function app, vnet, virtual network gateway, private endpoint, and private dns zone. My virtual network gateway is in its own subnet, below is relevant terraform from the azurerm_virtual_network_gateway resource
ip_configuration {
name = "aza-vnet"
public_ip_address_id = azurerm_public_ip.vpn_gateway_public_ip.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.vpn_gateway_subnet.id
}
The private endpoint is created in a separate subnet in the same vnet, pointing to the function app. Below is some of the terraform configuration for that resource
private_service_connection {
name = "oai-create-privateserviceconnection"
private_connection_resource_id = azurerm_linux_function_app.oai_create_app.id
subresource_names = ["sites"]
is_manual_connection = false
}
private_dns_zone_group {
name = "oai-create-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.create_func.id]
}
I created the below dns zone
resource "azurerm_private_dns_zone" "create_func" {
name = "privatelink.azurewebsites.net"
resource_group_name = var.rg_name
}
linked it to my vnet
resource "azurerm_private_dns_zone_virtual_network_link" "create_func" {
name = "oai-create-link"
resource_group_name = var.rg_name
private_dns_zone_name = azurerm_private_dns_zone.create_func.name
virtual_network_id = azurerm_virtual_network.vnet.id
}
and added an A record for the private endpoint ip
resource "azurerm_dns_a_record" "create_func" {
name = "func-name.privatelink.azurewebsites.net"
zone_name = azurerm_private_dns_zone.create_func.name
resource_group_name = var.rg_name
ttl = 300
records = [azurerm_private_endpoint.create_func.private_service_connection[0].private_ip_address]
#records = [azurerm_private_endpoint.create_func.ip_configuration[0].private_ip_address]
}
with func-name the name of my function.
I added the below to my vpn config file to try to use Azure DNS 168.63.129.16
<clientconfig i:nil="true">
<dnssuffixes>
<dnssuffix>.azurewebsites.net</dnssuffix>
</dnssuffixes>
<dnsservers>
<dnsserver>168.63.129.16</dnsserver>
</dnsservers>
</clientconfig>
When I connect to my VPN and try to reach my function curl https://func-name.azurewebsites.net/api/create it doesn't resolve
When I use the private ip of the private endpoint curl http://10.0.2.4/api/create I get a 404, which is also unexpected but it is actually reaching the function app. Probably due to this
Here is the output of nslookup which is resolving to a public ip
nslookup func-name.azurewebsites.net
Server: 10.16.80.1
Address: 10.16.80.1#53
Non-authoritative answer:
func-name.azurewebsites.net canonical name = func-name.privatelink.azurewebsites.net.
func-name.privatelink.azurewebsites.net canonical name = hosts.func-name.azurewebsites.net.
Name: hosts.func-name.azurewebsites.net
Address: 13.92.237.218
Does anyone know what I can do to get my function app hostname to resolve to the private endpoint ip address?
To resolve the
function apphostname to the private endpoint IP address, when using Point to Site VPN, you can add a host entry in local machine for the private endpoint to resolve the endpoint's IP address for testing.To add a host entry on your
local PC, navigate to C:\Windows\System32\drivers\etc\hosts and insert your entry into thehosts file.As a permanent solution, consider implementing a Private
DNS Resolveror acustom DNSserver to resolve the IP address of the private endpoint when utilizing Point to Site VPN.Reference: Point to Site VPN name resolution
Private Endpoint DNS Integration Scenarios