05-19-2022 12:17 PM
Hi, we recently added Azure vNET's and infrastructure across an Azure Express Route. We have also deployed Azure File Shares and integrated them into Active Directory and created Private Endpoints. We have successfully setup the DNS both at our datacenter and in Azure to route properly to the private endpoint through the Express Route.
We cannot get users on the VPN (split-tunnel) to route properly to the Azure Private Endpoint, it will always attempt to route to the public IP of the Azure Storage Account. We implemented dynamic split-tunneling and have added both our internal domain and core.windows.net domain to the tunnel, but still resolves to public IP.
Any direction would be greatly appreciated.
Thank you
Tim
05-20-2022 05:28 AM
So I'm assuming you want to reach Azure over private connection but it's taking over public?
Check what DNS servers you have configured for your VPN and if they are able to resolve the private address you created for certain FQDN
For example... Type nslookup from windows cmd and hit enter, enter the fqdn you want and observe the results and check what DNS server are giving you output, is it your company DNS servers you mentioned in the VPN policy or users local home router DNS.
05-23-2022 06:26 AM
NSLOOKUP picks up the public nslookup information not the internal. The internal DNS servers are using conditional forwarding to route to "core.windows.net", but using our internal domain as the domain suffix, it will not pick up the conditional forwarder. Everything internal works without a problem.
05-23-2022 07:09 PM
Sorry, I misunderstood your reply
When you do the NSLOOKUP on the CMD , what is the responding SERVER you get? INTERNAL or USER LOCAL HOME DNS SERVER?
05-23-2022 03:21 PM
Hi
I am not sure about that setup. What générally people do is either include the ip in the split tunnel or put them in dynamic split tunnel with the domain you want to include.
What you have done is added internal ip of the Azure setup in your vpn split tunnel. That is fine but your VPN users are not able to get the Internal resolution and you haven't added the public IP in your split tunnel as well. I would suggest, add dynamic policy with that ip or add that public IP in your split tunnel as well. Mind you after making the changes, you need user to disconnect/reconnect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide