(Followed by English translation)
オンプレ(を模した環境)から、Azure Private linkを経由して閉域網にてAzure blobにアクセスする環境を試しました
前提
Azure Private Link を使うとblobやSQL等にPrivate Ip addressでアクセスできますが、アクセス元がオンプレミスのサーバーの場合、名前解決が課題です。
Private linkはTLS利用が必須で、よってIPアドレスでは無くFQDN宛にアクセスする必要があり、かつこのFQDNがPrivate linkのprivate IPアドレスに名前解決される必要があります。Private link作成時にAzureのデフォルトDNSに設定がされるので、同一regionのAzureリソースからのアクセスの場合気にしなくていいのですが、それ以外の場合は名前解決にひと手間必要です
オンプレからの場合、hostsを使うかDNS forwardingかの2択です
https://docs.microsoft.com/azure/private-link/private-endpoint-dns
手順
今回はAzure JapanEast regionのblob にprivate linkを設定し、オンプレの代わりにJapanWest regionのVMからVPN経由でアクセスを試しました。private linkの名前解決は当該VMのhostsを使っています。手順は以下です
Private link for Azure Storage
https://docs.microsoft.com/ja-jp/azure/storage/common/storage-private-endpoints?toc=/azure/storage/blobs/toc.json
blobの設定はこんな感じになります
環境の構成図はこちら
VM at JapanWest -> blob at JapanEastのテストはazcopyを使いました
- ./azcopy copy "./hoge.txt" "https://yoaraistorage1.blob.core.windows.net/con1/1.txt?<SAS token>
- ./azcopy list "https://yoaraistorage1.blob.core.windows.net/con1/?<SAS token>
- ./azcopy copy "https://yoaraistorage1.blob.core.windows.net/con1/1.txt?<SAS token> "./download_1.txt"
ご参考になれば幸いです
Let me share how to access Azure blob from on-prem through closed network with private link.
Background
Azure Private Link allows you to access Azure blob, SQL etc via a private IP address. However, if you access Azure from On-prem, name resolution becomes a matter.
TLS is required to access private link, hence you need to access not IP address but FQDN of the private link, and the FQDN should be resolved to private IP address of the private link. Azure default DNS Server in the same region is automatically updated when creating a private links, but you need to take action by yourself in other case.
From on-prem, hosts or DNS forwarding are solutions. See below doc about more detail.
https://docs.microsoft.com/azure/private-link/private-endpoint-dns
Procedure
I checked this by creating a private link on a blob at Azure JapanEast, then accessing there from VM at JapanWest via VPN. Name resolution was based on host of the VM. Related docs are below:
Private link for Azure Storage
https://docs.microsoft.com/ja-jp/azure/storage/common/storage-private-endpoints?toc=/azure/storage/blobs/toc.json
Please check the architecture diagram and test procedure by using AzCopy in Japanese section above.
Hope it helps you. Thank you.