Solved

User VPN for PaaS Services

Bigo
Userlevel 2
Badge +4
  • Bigo
  • Second Officer
  • 13 replies

Hi Community,

I have the following design in which I’m trying to connect from my laptop to an SFTP blob storage in Azure via private endpoint.

I have 3 VNETs:

  • ACCESS: contains Aviatrix VPN gateway, Aviatrix spoke gateway and DNS inbound endpoint for on-prem DNS resolution
  • TRANSIT: for Aviatrix Transit gateway
  • SFTP-TEST: spoke vnet containing one Aviatrix Spoke Gateway and the private endpoint for the SFTP blob storage

Now, from my laptop I can resolve the DNS name correctly:

 

However I cannot connet to the SFTP private endpoint, while the connection to the public one works (closed at the end because I configured to block public access):

 

Do you think I’m missing something in the architecture, or is this scenario not supported with aviatrix?

 

Many thanks

icon

Best answer by Nico 14 August 2023, 07:25

View original

10 replies

MohammedBanabila
Badge +1

can  be add record Alias  for   endpoint  that associate with domain name 

allow port 22  with  firewall

Nico
Userlevel 2
Badge +1

Hi @Bigo,
ow did you configure Firewall and virtual networks in the Storage Account networking section? From your post, I see you disabled the public access!

Did you configure Virtual networks access (adding transit-VNET & ACCESS-VNET)?

In order to verify if the Firewall blocks the access via the private endpoint, can you please enable the access from all networks back just for the time of a further test?

Once the Storage Account firewall has been disabled can you please try connecting to the SFTP private endpoint again?

 

Cheers,

Nico

Bigo
Userlevel 2
Badge +4

Hi @Nico ,

I changed the FW settings of the SA, enabling access from the 3 VNETs (alls subnets), and also adding my public IP in the Firewall whitelisting rules.

However the issue is still there, I can login via the public EP, but not from the private one:

Even after setting the firewall back to “Disabled” for public access, nothing changed 

Nico
Userlevel 2
Badge +1

Hi @Bigo,

I can confirm the above scenario is supported by Aviatrix: I just replicated it (directly pointing to the private endpoint IP address) and it works fine:

  • My laptop private IP addresses are:

     

  • Azure Private Endpoint settings are:

  • where sftptest-nic is 10.21.93.36:

     

  • The public network access has been disabled:

     

  • and the connection to sftp works as expected:

     

At this point, I think there is something to verify at the configuration level.

Just to double check something quick, can you please verify if enabled Connected Transit:

?

 

Please, let me know.

 

Cheers,

Nico

Bigo
Userlevel 2
Badge +4

Hi @Nico , I was finally able to make it run! THe issue was with the private endpoint configuration, which had a “Target Sub-resource type: file”

After changing it to “blob”, it started working (even the public DNS is resolving to the private IP):
 

 

 

Just one last question (not sure if I can ask it here): I see all the DNS resolution is forwarded through the VPN, but from my understanding, only the domains specified in the VPN gateway “Search Domain” field should be resolved through Aviatrix VPN. Is my understanding correct? Is there any additional configuration I’m missing?

 

Nico
Userlevel 2
Badge +1

Hi @Bigo,

any chance to share your DNS configuration via ipconfig /all ?

Bigo
Userlevel 2
Badge +4

Hi Nico, here it is (sorry for the Italian, but I think you can read it)

 

Nico
Userlevel 2
Badge +1

Hi @Bigo,

thanks for the screenshot and don’t worry for the Italian words into the configuration… I can try getting them 😁

As you can spot the Server DNS has been configured as 10.100.2.4 because it has been pulled by the VPN configuration. Considering the Aviatrix documentation and my understanding, once the VPN connection is running, your laptop leverages on 10.100.2.4 for each DNS request!

 

Is there any chance you can remove the nameservers and the search domains from the Split Configuration Info?

Once removed, can you try testing the access to the SFTP (via the IP address), Aviatrix.com and Google.com again?

 

Please, let me know.

 

Cheers,

Nico

Bigo
Userlevel 2
Badge +4

Hi @Nico ,

I removed the Nameservers and the Search Domains from the Split Configuration Info, and after that I could resolve google.com and aviatrix.com with my ISP DNS.

However, my understanding of the feature was the following:

  1. if Nameservers field is set, all the DNS resolution goes through the VPN tunnel towards the configured resolver
  2. if both Nameserver and Search Domains fields are set, only DNS resolution for specified domains goes through the VPN tunnel towards the configured resolver, while other domains are resolved with the ISP DNS

If this is not the case, can you help me understand what is a possible scenario for using both fields?

Thank you very much.  

Bigo
Userlevel 2
Badge +4

Hi Nico,

after our discussion in call, the feature is much clearer.

Thanks for taking time to answering my doubts, we can close this thread now.

Reply


Terms & Conditions