Troubleshooting Azure Private Link
Note
This document provides common troubleshooting steps for Azure Private Link. For specific issues, refer to the relevant Azure service documentation.
Common Connection Issues
1. Private Endpoint Not Reachable
Symptoms:
- Unable to access the private link service from your virtual network.
- Network connectivity tests (like ping or traceroute) fail.
Troubleshooting Steps:
- Verify Network Security Groups (NSGs): Ensure that NSGs associated with the subnet where the private endpoint resides allow outbound traffic to the Private Link service's required ports (typically 443 for HTTPS). Also, check inbound rules for traffic originating from your client resources.
- Check Route Tables: Verify that your route tables have correct routes. If you are using User Defined Routes (UDRs) or Network Virtual Appliances (NVAs), ensure they are not interfering with traffic destined for the private endpoint.
- Confirm Private DNS Zone Configuration: Ensure the Private DNS Zone for the service is correctly configured and linked to your virtual network. The DNS A record for the service endpoint should resolve to the private IP address of the private endpoint.
- IP Address Conflicts: Double-check for any IP address conflicts within your virtual network or connected networks.
- Check Route Tables: Verify that your route tables have correct routes. If you are using User Defined Routes (UDRs) or Network Virtual Appliances (NVAs), ensure they are not interfering with traffic destined for the private endpoint.
2. Service Unavailable or Refused Connection
Symptoms:
- Applications report "service unavailable" or "connection refused" errors.
- Attempts to establish a connection to the private endpoint fail.
Troubleshooting Steps:
- Verify Private Endpoint Status: In the Azure portal, navigate to your private endpoint. Ensure its status is "Succeeded". If it's pending or failed, investigate the deployment logs.
- Check Private Link Service Status: If you are using a Private Link service, verify its status in the Azure portal. Ensure it's healthy and accessible.
- Service Health: Confirm that the underlying Azure service (e.g., Azure SQL Database, Azure Storage) is operational and not experiencing any outages. Check the Azure Service Health dashboard.
- Firewall Rules on the Service: Ensure that any firewalls configured on the target Azure service itself (e.g., Azure SQL firewall rules, Storage account network rules) allow access from the private IP address of your private endpoint.
- Check Private Link Service Status: If you are using a Private Link service, verify its status in the Azure portal. Ensure it's healthy and accessible.
DNS Resolution Problems
1. Incorrect DNS Resolution
Symptoms:
- Private endpoints are reachable via IP address but not by hostname.
- Internal DNS servers are not resolving the service FQDN to the private IP.
Troubleshooting Steps:
- Verify Private DNS Zone Linking: Ensure the Private DNS Zone (e.g.,
privatelink.blob.core.windows.net) is correctly linked to the virtual network where your private endpoint resides.- Check DNS Records: Within the Private DNS Zone, verify that the A record for the specific service hostname (e.g.,
mystorageaccount.privatelink.blob.core.windows.net) exists and points to the correct private IP address of your private endpoint.- Custom DNS Servers: If you use custom DNS servers within your VNet, ensure they are configured to forward queries for the Private DNS Zone to Azure DNS or are able to resolve the records themselves.
- Client DNS Configuration: Confirm that clients attempting to connect are using DNS servers that can resolve the Private DNS Zone.
- Check DNS Records: Within the Private DNS Zone, verify that the A record for the specific service hostname (e.g.,
Azure Private Link Service Issues
1. Unable to Create or Configure Private Link Service
Troubleshooting Steps:
- Service Consumer Permissions: Ensure the user or service principal creating the private endpoint has the necessary permissions (e.g., "Microsoft.Network/privateEndpoints/write", "Microsoft.Network/privateLinkServices/privateEndpointConnections/write").
- Service Provider Permissions: Ensure the service provider has correctly configured the Private Link Service with the appropriate consumer groups, IP configurations, and network access rules.
- NAT Gateway Interactions: If a NAT Gateway is used in the subnet where the private endpoint is deployed, ensure it's not blocking traffic. Private Link generally works with NAT Gateway, but verify configuration.
- Service Provider Permissions: Ensure the service provider has correctly configured the Private Link Service with the appropriate consumer groups, IP configurations, and network access rules.
General Troubleshooting Tips
- Azure Network Watcher: Utilize Network Watcher's features like Connection Troubleshoot, IP Flow Verify, and NSG Flow Logs to diagnose connectivity issues.
- Resource Health: Check the "Resource Health" blade for both your private endpoint and the target service in the Azure portal for any underlying platform issues.
- Azure Activity Log: Review the Activity Log for both the private endpoint and the target service for any failed operations or configuration changes.
- Azure Monitor Logs: If available for the target service, use Azure Monitor to analyze application and network logs for more granular error details.
- Resource Health: Check the "Resource Health" blade for both your private endpoint and the target service in the Azure portal for any underlying platform issues.
Tip
When troubleshooting, isolate the problem by testing connectivity from different resources within your VNet and from different subnets if applicable.