You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-networking-dns.md
+14-6Lines changed: 14 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,28 +1,31 @@
1
1
---
2
-
title: Configuring DNS forwarding for Azure Files
3
-
description: Learn how to configure DNS forwarding for Azure Files.
2
+
title: Configure DNS forwarding for Azure Files
3
+
description: Learn how to configure DNS forwarding for Azure Files to properly resolve the fully qualified domain name (FQDN) of your storage account to your private endpoint's IP address.
4
4
author: khdownie
5
5
ms.service: azure-file-storage
6
6
ms.topic: how-to
7
-
ms.date: 08/29/2023
7
+
ms.date: 05/10/2024
8
8
ms.author: kendownie
9
9
---
10
10
11
-
# Configuring DNS forwarding for Azure Files
11
+
# Configure DNS forwarding for Azure Files using VMs or Azure DNS Private Resolver
12
+
12
13
Azure Files enables you to create private endpoints for the storage accounts containing your file shares. Although useful for many different applications, private endpoints are especially useful for connecting to your Azure file shares from your on-premises network using a VPN or ExpressRoute connection using private-peering.
13
14
14
15
In order for connections to your storage account to go over your network tunnel, the fully qualified domain name (FQDN) of your storage account must resolve to your private endpoint's private IP address. To achieve this, you must forward the storage endpoint suffix (`core.windows.net` for public cloud regions) to the Azure private DNS service accessible from within your virtual network. This guide will show how to setup and configure DNS forwarding to properly resolve to your storage account's private endpoint IP address.
15
16
16
17
We strongly recommend that you read [Planning for an Azure Files deployment](storage-files-planning.md) and [Azure Files networking considerations](storage-files-networking-overview.md) before you complete the steps described in this article.
17
18
18
19
## Applies to
20
+
19
21
| File share type | SMB | NFS |
20
22
|-|:-:|:-:|
21
23
| Standard file shares (GPv2), LRS/ZRS |||
22
24
| Standard file shares (GPv2), GRS/GZRS |||
Azure Files provides the following types of endpoints for accessing Azure file shares:
27
30
28
31
- Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
@@ -46,18 +49,20 @@ You can configure DNS forwarding one of two ways:
46
49
In addition to Azure Files, DNS name resolution requests for other Azure storage services (Azure Blob storage, Azure Table storage, Azure Queue storage, etc.) will be forwarded to Azure's private DNS service. You can add additional endpoints for other Azure services if desired.
47
50
48
51
## Prerequisites
52
+
49
53
Before you can set up DNS forwarding to Azure Files, you'll need the following:
50
54
51
55
- A storage account containing an Azure file share you'd like to mount. To learn how to create a storage account and an Azure file share, see [Create an Azure file share](storage-how-to-create-file-share.md).
52
56
- A private endpoint for the storage account. See [Create a private endpoint](storage-files-networking-endpoints.md#create-a-private-endpoint).
53
57
- The [latest version](/powershell/azure/install-azure-powershell) of the Azure PowerShell module.
54
58
55
59
## Configure DNS forwarding using VMs
60
+
56
61
If you already have DNS servers in place within your Azure virtual network, or if you prefer to deploy your own DNS server VMs by whatever methodology your organization uses, you can configure DNS with the built-in DNS server PowerShell cmdlets.
57
62
58
63
:::image type="content" source="media/storage-files-networking-dns/dns-forwarding-azure-virtual-machines.png" alt-text="Diagram showing the network topology for configuring D N S forwarding using virtual machines in Azure." lightbox="media/storage-files-networking-dns/dns-forwarding-azure-virtual-machines.png" border="false":::
59
64
60
-
> [!Important]
65
+
> [!IMPORTANT]
61
66
> This guide assumes you're using the DNS server within Windows Server in your on-premises environment. All of the steps described here are possible with any DNS server, not just the Windows DNS Server.
62
67
63
68
On your on-premises DNS servers, create a conditional forwarder using `Add-DnsServerConditionalForwarderZone`. This conditional forwarder must be deployed on all of your on-premises DNS servers to be effective at properly forwarding traffic to Azure. Remember to replace the `<azure-dns-server-ip>` entries with the appropriate IP addresses for your environment.
## Configure DNS forwarding using Azure DNS Private Resolver
91
+
86
92
If you prefer not to deploy DNS server VMs, you can accomplish the same task using Azure DNS Private Resolver. See [Create an Azure DNS Private Resolver using the Azure portal](../../dns/dns-private-resolver-get-started-portal.md).
87
93
88
94
:::image type="content" source="media/storage-files-networking-dns/dns-forwarding-azure-private-resolver.png" alt-text="Diagram showing the network topology for configuring D N S forwarding using Azure D N S Private Resolver." lightbox="media/storage-files-networking-dns/dns-forwarding-azure-private-resolver.png" border="false":::
89
95
90
96
There's no difference in how you configure your on-premises DNS servers, except that instead of pointing to the IP addresses of the DNS servers in Azure, you point to the resolver's inbound endpoint IP address. The resolver doesn't require any configuration, as it will forward queries to the Azure private DNS server by default. If a private DNS zone is linked to the VNet where the resolver is deployed, the resolver will be able to reply with records from that DNS zone.
91
97
92
-
> [!Warning]
98
+
> [!WARNING]
93
99
> When configuring forwarders for the *core.windows.net* zone, all queries for this public domain will be forwarded to your Azure DNS infrastructure. This causes an issue when you try to access a storage account of a different tenant that has been configured with private endpoints, because Azure DNS will answer the query for the storage account public name with a CNAME that doesn’t exist in your private DNS zone. A workaround for this issue is to create a cross-tenant private endpoint in your environment to connect to that storage account.
94
100
95
101
To configure DNS forwarding using Azure DNS Private Resolver, run this script on your on-premises DNS servers. Replace `<resolver-ip>` with the resolver's inbound endpoint IP address.
Before testing to see if the DNS forwarders have successfully been applied, we recommend clearing the DNS cache on your local workstation using `Clear-DnsClientCache`. To test if you can successfully resolve the FQDN of your storage account, use `Resolve-DnsName` or `nslookup`.
0 commit comments