![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 4%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Hello$@chin
It seems you're trying to set up a connection using Azure Private Link between two different tenants, which requires several layers of configuration. Here's a breakdown of your situation:
Cross-Tenant Configuration: Connecting across tenants using Azure Private Link is technically possible, but it needs proper configuration.
- Establish Cross-Tenant VNet Peering Create a VNet peering connection between Tenant-A and Tenant-B, ensuring proper permissions and route sharing are configured across tenants.
- Ex: Configure User-Defined Routes (UDRs) In Tenant -B (VNet-B), define custom routes that direct traffic destined for on-premises networks to Tenant- A (VNet-A) as the next hop.
- Deploy a Network Virtual Appliance (NVA) or Azure Route Server in VNet-A Use an NVA or Azure Route Server to manage route propagation and enable traffic forwarding from VNet-B to the on-premises environment via the existing ExpressRoute connection
Since your DNS resolution is working and you've established the Private Endpoint, the basic setup appears correct. However, you should check a few things to troubleshoot the connectivity issue.
- Please ensure that the Network Security Groups (NSGs) are properly configured to allow inbound traffic from VM2 in Tenant B to the Private Endpoint in Tenant A, including verifying the inbound rules.
- Also, ensure that the Private DNS Zone used for SQL1/MySQL1 is linked to VM2 or that VM2 can correctly resolve the SQL database's private endpoint.
- If you are using VNet peering between the two tenants, make sure the peering settings allow traffic to flow as needed. You may need to enable 'Allow forwarded traffic' and/or 'Allow gateway transit'. Also, double-check the private IP assignment for the endpoint and confirm it is reachable from VM2.
- If direct connectivity via Private Link is not reliable, you could set up a VPN gateway to facilitate communication between the two VNets. If applicable, consider establishing a VNet-to-VNet connection.
Please share the below information for more understanding:
- Are there any specific error messages when you try to connect from VM2 to SQL1/MySQL1?
- Have you verified the specific inbound rules in the NSGs on both ends?
- Are you using any custom DNS settings beyond the default Azure routing?
- Can you provide details on how your VNets are configured (VNet peering, whether they are in the same region, etc.)?
- What specific methods are you trying for connection (e.g., direct connection, tools like telnet, etc.)?
- Share the Psping results from your source machine for further investigation.
Hope the above answer helps! Please let us know do you have any further queries.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.