Azure Storage account private link custom domain

Question

I have a storage account deployed with a Private Link. I want it to be accessible through my ExpressRoute.

I would like to set a custom domain name (storage1.companydomain.com). However, companydomain.com is not public, it's a private domain that I manage in my Windows Server DNS.

As far as I know when assigning a custom domain to a storage, there is a verification that a CNAME record exists. However, since this is a private domain, the CNAME verification will not work.

How can I assign a "private custom domain" to my storage account so that I can access it with that name through my ExpressRoute?

Answer 1

For Azure Services, Microsoft Wire Server will integrate with one of these recommended zone names , and unfortunately there is no "custom domain" scenario in this case. This answer provides additional info of what is going on.

From the docs :

When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix privatelink. By default, we also create a private DNS zone, corresponding to the privatelink subdomain, with the DNS A resource records for the private endpoints.

When you resolve the storage endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the storage service. When resolved from the VNet hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.

Workaround: The only workaround is an internal Application Gateway. I've never done it for Blobs, but for Web Apps you must rewrite the host HTTP header, otherwise it won't work. Microsoft.Web services require that header to match the service, which must be the public name, as explained above.

There is another workaround (which I won't recommend because of this issue ), which is validating your private domain name in the public DNS with a TXT record which you can later remove.

Answer 2

You can configure Azure Storage Account with a custom domain name using On-premises DNS conditional forwarder.

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server

To configure properly, you need the following resources:

• On-premises network with a custom DNS solution in place
• Virtual network connected to on-premises
• DNS forwarder deployed in Azure
• Private DNS zones
• Private endpoint information (FQDN record name and private IP address)

The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone linked to a virtual network.

You will also need to use private endpoints for Azure Storage. When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix privatelink. By default, we also create a private DNS zone, corresponding to the privatelink subdomain, with the DNS A resource records for the private endpoints.

You should configure your DNS server to resolve the storage account name in the privatelink subdomain to the private endpoint IP address. You can do this by delegating the privatelink subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.

https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints