I have the following design in which I’m trying to connect from my laptop to an SFTP blob storage in Azure via private endpoint.
I have 3 VNETs:
ACCESS: contains Aviatrix VPN gateway, Aviatrix spoke gateway and DNS inbound endpoint for on-prem DNS resolution
TRANSIT: for Aviatrix Transit gateway
SFTP-TEST: spoke vnet containing one Aviatrix Spoke Gateway and the private endpoint for the SFTP blob storage
Now, from my laptop I can resolve the DNS name correctly:
However I cannot connet to the SFTP private endpoint, while the connection to the public one works (closed at the end because I configured to block public access):
Do you think I’m missing something in the architecture, or is this scenario not supported with aviatrix?
Many thanks
Page 1 / 1
can be add record Alias for endpoint that associate with domain name
allow port 22 with firewall
Hi @Bigo, ow did you configure Firewall and virtual networks in the Storage Account networking section? From your post, I see you disabled the public access!
Did you configure Virtual networks access (adding transit-VNET & ACCESS-VNET)?
In order to verify if the Firewall blocks the access via the private endpoint, can you please enable the access from all networks back just for the time of a further test?
Once the Storage Account firewall has been disabled can you please try connecting to the SFTP private endpoint again?
Cheers,
Nico
Hi @Nico ,
I changed the FW settings of the SA, enabling access from the 3 VNETs (alls subnets), and also adding my public IP in the Firewall whitelisting rules.
However the issue is still there, I can login via the public EP, but not from the private one:
Even after setting the firewall back to “Disabled” for public access, nothing changed
Hi @Bigo,
I can confirm the above scenario is supported by Aviatrix: I just replicated it (directly pointing to the private endpoint IP address) and it works fine:
My laptop private IP addresses are:
Azure Private Endpoint settings are:
where sftptest-nic is 10.21.93.36:
The public network access has been disabled:
and the connection to sftp works as expected:
At this point, I think there is something to verify at the configuration level.
Just to double check something quick, can you please verify if enabled Connected Transit:
?
Please, let me know.
Cheers,
Nico
Hi @Nico , I was finally able to make it run! THe issue was with the private endpoint configuration, which had a “Target Sub-resource type: file”
After changing it to “blob”, it started working (even the public DNS is resolving to the private IP):
Just one last question (not sure if I can ask it here): I see all the DNS resolution is forwarded through the VPN, but from my understanding, only the domains specified in the VPN gateway “Search Domain” field should be resolved through Aviatrix VPN. Is my understanding correct? Is there any additional configuration I’m missing?
Hi @Bigo,
any chance to share your DNS configuration via ipconfig /all ?
Hi Nico, here it is (sorry for the Italian, but I think you can read it)
Hi @Bigo,
thanks for the screenshot and don’t worry for the Italian words into the configuration… I can try getting them
As you can spot the Server DNS has been configured as 10.100.2.4 because it has been pulled by the VPN configuration. Considering the Aviatrix documentation and my understanding, once the VPN connection is running, your laptop leverages on 10.100.2.4 for each DNS request!
Is there any chance you can remove the nameservers and the search domains from the Split Configuration Info?
Once removed, can you try testing the access to the SFTP (via the IP address), Aviatrix.com and Google.com again?
Please, let me know.
Cheers,
Nico
Hi @Nico ,
I removed the Nameservers and the Search Domains from the Split Configuration Info, and after that I could resolve google.com and aviatrix.com with my ISP DNS.
However, my understanding of the feature was the following:
if Nameservers field is set, all the DNS resolution goes through the VPN tunnel towards the configured resolver
if both Nameserver and Search Domains fields are set, only DNS resolution for specified domains goes through the VPN tunnel towards the configured resolver, while other domains are resolved with the ISP DNS
If this is not the case, can you help me understand what is a possible scenario for using both fields?
Thank you very much.
Hi Nico,
after our discussion in call, the feature is much clearer.
Thanks for taking time to answering my doubts, we can close this thread now.