Configuring a DNS Private Resolver for Seamless Azure Cosmos DB Connectivity with Point-to-Site VPN

Introduction

This article will guide you through the setup of a DNS private resolver for Azure Cosmos DB, addressing the challenge of connecting to the database from different virtual networks or through VPNs. By configuring a DNS private resolver, you can ensure seamless and secure connectivity to your Azure Cosmos DB, enabling efficient data access, data restrictions, and management.

Problem:

When you add a private endpoint to Azure Cosmos DB, your client may not be able to connect to the database while connected to a VPN because the IP address of the database is not resolvable. Even with DNS integration enabled, connecting to the database from a different virtual network or through a VPN requires a DNS forwarder or another method to resolve the Fully Qualified Domain Name (FQDN) of the database.

Services Overview:

1. Azure Cosmos DB: A globally distributed, multi-model database service that offers consistent performance and availability. Azure Cosmos DB supports storing and querying data of any size and type, ranging from relational data to documents to JSON.
2. DNS Private Resolver: A server that resolves DNS queries for private resources in your Virtual Network (VNet). Configuring a DNS private resolver allows your client to resolve the IP address of your Azure Cosmos DB database and connect to it securely.
3. Private Endpoint: A network interface that facilitates private connections to Azure Cosmos DB from your VNet. When you create a private endpoint, Azure Cosmos DB generates a virtual network interface in your VNet that is connected to the Azure Cosmos DB service.
4. Private DNS Zone: A DNS zone hosted within your virtual network, enabling you to control how DNS queries for your private resources are resolved. You can create records for your private resources, such as Azure Cosmos DB databases, allowing clients to resolve their IP addresses without accessing the public internet.
5. Virtual Network (VNet): A logical isolation of your Azure resources, similar to a traditional network, but implemented in the cloud.
   
   

Diagram:

Solution:

To overcome the connectivity issue, you can configure a DNS private resolver. A DNS private resolver is a server that resolves DNS queries for private resources in your VNet, enabling your client to resolve the IP address of your Azure Cosmos DB database and connect to it securely.

Follow these steps to configure a DNS private resolver:

1. Go to the Azure portal and navigate to the DNS private resolvers blade.

2. Select Create DNS private resolver.

3. In the Create DNS private resolver blade, complete the following steps:

• In the Name field, enter a name for your DNS private resolver.
• In the Location field, select the location for your DNS private resolver.
• In the Resource group field, select the resource group for your DNS private resolver.
• Select the Subnet field and choose the subnet in your VNet where VPN is configured.
• Select Create.
  
  

Configuring the Inbound endpoint:

1. In the Settings section of DNS private resolver, select Inbound endpoints.

2. In the Inbound endpoints blade, select Add inbound endpoint.

3. Add the inbound endpoint.

Note: Ensure that the subnet you choose for the Inbound endpoint is in the same VNet where the VPN is configured.

Configure DNS IP:

Once the Inbound endpoint is created, you will see an IP address assigned to it from the selected subnet range. Copy this IP address and go to your VNET where VPN is configured. From the left panel, select DNS servers and add this IP as a custom DNS IP.

After completing these steps, when you connect to the VPN, you should see the same IP address as the DNS IP address in the VPN settings. Now you should be able to connect to Azure Cosmos DB while connected to the Azure Point-to-Site VPN.

If you have any questions you can reach out our SharePoint Consulting team here.