Troubleshooting Azure Private Link
This document provides guidance on troubleshooting common issues encountered when using Azure Private Link. Private Link simplifies network connectivity to Azure Platform as a Service (PaaS) and customer-owned services. However, network configuration can sometimes lead to connectivity problems.
Common Issues
- Inability to connect to the private endpoint from a virtual network.
- Slow or intermittent connectivity.
- DNS resolution failures.
- Issues with accessing the service via Private Link after initial setup.
Connectivity Checks
Before diving deep, perform basic connectivity checks:
- Ping/Traceroute: While direct ping to the private endpoint IP might not be enabled for all services, you can use tools like
tcpping or telnet to test connectivity to the service port on the private IP address of the Private Endpoint.
- Network Watcher: Utilize Azure Network Watcher's IP Flow Verify and Connection Troubleshoot features to diagnose NSG and UDR issues affecting connectivity.
- Virtual Network Gateway/VPN/ExpressRoute: If connecting from on-premises, ensure your hybrid connectivity is functioning correctly.
Example: Using PowerShell to test TCP connectivity to a storage account's private endpoint:
Test-NetConnection -ComputerName 10.0.1.4 -Port 443 -InformationLevel Detailed
(Replace 10.0.1.4 with your Private Endpoint's IP and 443 with the relevant service port.)
DNS Resolution
Correct DNS resolution is crucial for Private Link. The Private Endpoint creates a Network Interface (NIC) with a private IP address. Your DNS must resolve the service FQDN (e.g., privatelink.blob.core.windows.net) to this private IP address.
- Azure Private DNS Zone: For services deployed in Azure, a Private DNS Zone is often automatically created or linked during Private Endpoint creation. Verify that the correct A record exists for your service FQDN within this zone and that it's linked to your Virtual Network.
- On-premises DNS: If connecting from on-premises, configure your on-premises DNS servers to forward queries for the Private Link FQDNs to your Azure DNS resolver or conditional forwarders pointing to Azure DNS.
- Custom DNS: If you are using custom DNS servers within your VNet, ensure they are configured to handle Private Link DNS resolution, either by forwarding to Azure DNS or by manually creating A records.
Note: If you are accessing a service using its public FQDN and have configured Private Link, you MUST ensure that the FQDN resolves to the Private Endpoint's IP address for private access.
Troubleshooting DNS:
- Use
nslookup or dig from within your VNet to verify DNS resolution.
- Check Azure DNS Private Zone settings in the Azure portal.
- Review your on-premises DNS configuration for conditional forwarders.
Network Security Groups (NSGs)
NSGs applied to the subnet of the Private Endpoint or to the VNet’s gateway/firewall can block traffic.
- Inbound Rules: Ensure there are inbound rules allowing traffic from your source IP/VNet to the Private Endpoint's IP address on the required service port.
- Outbound Rules: If your source resource (e.g., VM) has egress restrictions, ensure outbound rules allow traffic to the Private Endpoint's IP or the service's service tag.
- Associated NSGs: Check NSGs associated with the VM's NIC, VM's subnet, and any gateways or firewalls involved in the path.
Tip: Start with broadly permissive rules (e.g., allow all from VNet) for testing, then narrow them down.
Firewall Rules
Azure Firewall or Network Virtual Appliances (NVAs) can also restrict traffic.
- Azure Firewall: If using Azure Firewall, ensure you have appropriate Network Rules allowing traffic to the Private Endpoint's IP address and port. Application rules are generally not applicable for Private Link traffic unless you are filtering based on service FQDNs that the firewall understands.
- NVAs: Similarly, check the routing and access control lists (ACLs) on your third-party firewalls.
Private Endpoint Status
The status of the Private Endpoint resource itself can indicate issues.
- Provisioning State: Check the "Provisioning state" in the Azure portal for the Private Endpoint. It should be "Succeeded".
- Network Interface: Verify that the Network Interface associated with the Private Endpoint has a valid private IP address assigned from your subnet.
- Connection Status: For some services, there might be a "Connection status" in the Private Endpoint overview that indicates if the connection to the service is healthy.
Service Availability
Ensure the target Azure service itself is healthy and available.
- Check the Azure Status page for any ongoing incidents in your region.
- Verify the configuration and health of the target Azure service (e.g., Storage Account, Azure SQL Database).
Troubleshooting Scenarios
Scenario 1: Cannot connect to Private Endpoint from VM in same VNet
Likely Cause: NSG rules blocking traffic, incorrect DNS resolution, or service-specific firewall.
Action: Check NSGs on VM NIC, VM subnet, and VNet. Verify DNS resolution from VM. Test direct IP connectivity to Private Endpoint.
Scenario 2: Cannot connect from on-premises via VPN/ExpressRoute
Likely Cause: Hybrid connectivity issues, on-premises firewall, incorrect DNS forwarding.
Action: Verify VPN/ExpressRoute tunnel status. Check on-premises firewall. Ensure DNS queries for Private Link FQDNs are forwarded correctly to Azure DNS.
Scenario 3: Intermittent connectivity or slow performance
Likely Cause: Network congestion, MTU issues, inefficient routing, or issues with the target service.
Action: Monitor network bandwidth. Check MTU settings on NICs and intermediate devices. Use Network Watcher to analyze latency. Check service health and performance metrics.
General Tip: When troubleshooting, it's often helpful to isolate the problem. Test connectivity from a VM in the same VNet as the Private Endpoint, then from a peered VNet, and finally from on-premises to pinpoint where the issue lies.