I have configured an Azure VPN point to site connection to access my azure resources prtected by VNet from my local machine. I was able to access all other resources except Azure Search Service using VPN. For all the resoucres I added the GatewaySubnet under "Selected Networks" of Networking settings and also mentioned the corresponding resource’s IP address as additional route in VNet Gateway.
But for azure search service I cannot add the GatewaySubnet under selected networks because search service allows only public IP address range to be added when selecting "Selected Networks".
I am getting below error when connecting to search service with VPN connected
A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection
failed because connected host has failed to respond.
System.Private.CoreLib: A connection attempt failed because the
connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Am I missing any setting? Can someone help me on this?
3
Answers
I was missing setting up the DNS forwarder. The public addresses are returned by Azure public DNS. The private addresses are returned by DNS internal to Azure. This means that we want to use DNS internal to Azure when accessing resources over a VPN connection. And this internal DNS provided by Azure is outside of our VNet and so we have to explicitly forward that using our own DNS forwarder. We must add a DNS server to the VNet if we want DNS support for P2S or S2S connections. We must stand up our own DNS Server, actually a forwarder, and add it to the VNG DNS server list. Azure does not provide any DNS server that is addressable from the VPN connection. We used azure firewall as a DNS forwarder and now everything works with VPN connected.
You don’t need to add anything in the Azure Search Firewall, if you got "Selected Networks" as your firewall setting, it means that you have not yet created a private enpoint for Search, if your main goal is to connect privately from On premise to Search then this will be your first step.
https://learn.microsoft.com/en-us/azure/search/service-create-private-endpoint
After the private endpoint is created, make sure that your clients know how to resolve xxxx.search.windows.net to the private IP of the newly created private endpoint, once that’s done, it would all be a matter of ensuring that the routing is setup correctly and your clients should then be able to connect.
At this time, the only way to access the search service privately is through private endpoint, as mentioned in this doc.
To create a private endpoint attached to the virtual network where the local machine VPN is part of. When you connect through VPN, the machine that you’re connecting from would acquire a private IP from the virtual network.
-summarized the answer from comments.