Troubleshooting Azure Private Link

This article provides guidance on diagnosing and resolving common issues encountered when using Azure Private Link.

If you're unable to establish a connection to your Private Endpoint or Private Link Service:

Check Network Security Groups (NSGs): Ensure that NSGs associated with your Private Endpoint's subnet or the service consumer's subnet allow traffic on the required ports (typically 443 for management, or specific application ports).
Verify Private DNS Zone Configuration: For Private Endpoints, verify that the correct Private DNS Zone is linked to the Virtual Network where your Private Endpoint resides. The DNS records for the service FQDN should resolve to the Private Endpoint's IP address.
Subnet Delegation: If your Private Endpoint is in a subnet delegated to a specific service, ensure the delegation is correctly configured.
Service Health: Check the Azure Service Health dashboard for any ongoing incidents that might be affecting Private Link or the associated service.
Firewall Rules: If there are any network firewalls (e.g., Azure Firewall, NVA) between your client and the Private Endpoint, ensure they are configured to allow traffic.

Difficulty resolving the FQDN of the service through Private Link:

Private DNS Zone Linkage: Confirm that the Private DNS Zone (e.g., privatelink.blob.core.windows.net) is linked to the VNet containing your Private Endpoint.
Record Existence: Ensure that an A record exists in the Private DNS Zone for the service's FQDN, pointing to the Private Endpoint's IP address.
DNS Server Configuration: If you're using custom DNS servers, ensure they are configured to forward DNS queries for the Private Link domain to the Azure DNS resolver or the correct Private DNS Zone.
On-Premises Resolution: For hybrid connectivity, verify that your on-premises DNS servers can resolve the FQDN via conditional forwarders or the Azure DNS resolver.

Tip: You can use nslookup <service-fqdn> from a VM in the VNet to test DNS resolution.

Problems related to exposing a service using Azure Private Link Service:

Load Balancer Configuration: Ensure the Standard Load Balancer associated with the Private Link Service has a valid frontend IP configuration and health probes are correctly set up.
Network ACLs (Network Security Groups): Verify that NSGs on the backend pool subnet of the load balancer allow inbound traffic from the Private Link Service IPs or the consumer's VNICs.
Visibility and Aliases: Double-check that the alias of your Private Link Service is correctly shared with consumers and that they are using the correct alias to request a Private Endpoint.

Some services have specific troubleshooting steps:

Network Watcher: Utilize Azure Network Watcher's features like IP flow verify, connection troubleshoot, and packet capture to analyze network traffic and identify blocking rules.
Connection Monitor: Configure Connection Monitor to continuously test connectivity between your endpoint and the service.
Azure Monitor Logs: Collect diagnostic logs from Private Endpoints and Private Link Services for detailed analysis.

Important: Ensure you have the necessary permissions to view network configurations and diagnostic logs.