can  be add record Alias  for   endpoint  that associate with domain name 

allow port 22  with  firewall

Hi @Bigo,
ow did you configure Firewall and virtual networks in the Storage Account networking section? From your post, I see you disabled the public access!

Did you configure Virtual networks access (adding transit-VNET & ACCESS-VNET)?

In order to verify if the Firewall blocks the access via the private endpoint, can you please enable the access from all networks back just for the time of a further test?

Once the Storage Account firewall has been disabled can you please try connecting to the SFTP private endpoint again?

Cheers,

Nico

Hi @Nico ,

I changed the FW settings of the SA, enabling access from the 3 VNETs (alls subnets), and also adding my public IP in the Firewall whitelisting rules.

However the issue is still there, I can login via the public EP, but not from the private one:

Even after setting the firewall back to “Disabled” for public access, nothing changed 

Hi @Bigo,

I can confirm the above scenario is supported by Aviatrix: I just replicated it (directly pointing to the private endpoint IP address) and it works fine:

• My laptop private IP addresses are:

  

   

• Azure Private Endpoint settings are:

• 

  where sftptest-nic is 10.21.93.36:

  

   

• The public network access has been disabled:

  

   

• and the connection to sftp works as expected:

  

   

At this point, I think there is something to verify at the configuration level.

Just to double check something quick, can you please verify if enabled Connected Transit:

?

Please, let me know.

Cheers,

Nico

Hi @Nico , I was finally able to make it run! THe issue was with the private endpoint configuration, which had a “Target Sub-resource type: file”

After changing it to “blob”, it started working (even the public DNS is resolving to the private IP):
 

Just one last question (not sure if I can ask it here): I see all the DNS resolution is forwarded through the VPN, but from my understanding, only the domains specified in the VPN gateway “Search Domain” field should be resolved through Aviatrix VPN. Is my understanding correct? Is there any additional configuration I’m missing?

Hi @Bigo,

any chance to share your DNS configuration via ipconfig /all ?

Hi Nico, here it is (sorry for the Italian, but I think you can read it)

Hi @Bigo,

thanks for the screenshot and don’t worry for the Italian words into the configuration… I can try getting them 

As you can spot the Server DNS has been configured as 10.100.2.4 because it has been pulled by the VPN configuration. Considering the Aviatrix documentation and my understanding, once the VPN connection is running, your laptop leverages on 10.100.2.4 for each DNS request!

Is there any chance you can remove the nameservers and the search domains from the Split Configuration Info?

Once removed, can you try testing the access to the SFTP (via the IP address), Aviatrix.com and Google.com again?

Please, let me know.

Cheers,

Nico

Hi @Nico ,

I removed the Nameservers and the Search Domains from the Split Configuration Info, and after that I could resolve google.com and aviatrix.com with my ISP DNS.

However, my understanding of the feature was the following:

1. if Nameservers field is set, all the DNS resolution goes through the VPN tunnel towards the configured resolver
2. if both Nameserver and Search Domains fields are set, only DNS resolution for specified domains goes through the VPN tunnel towards the configured resolver, while other domains are resolved with the ISP DNS

If this is not the case, can you help me understand what is a possible scenario for using both fields?

Thank you very much.  

Hi Nico,

after our discussion in call, the feature is much clearer.

Thanks for taking time to answering my doubts, we can close this thread now.