This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 30%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I have successfully created AKS and VPN and able to ping private nodes after connecting to VPN via macos Azure VPN client but not able to resolve API endpoint of my private AKS cluster
Hello Amandeep Sadioura ,
Welcome to Q&A, You’ve set up a VPN connection to access your private AKS cluster. While you can ping the private nodes just fine, resolving the API endpoint of the cluster isn’t working as expected. Sounds like there’s a DNS resolution issue somewhere along the way.
I’m assuming you’ve already got the essentials covered: the VPN connection is established, and the setup for your AKS cluster and the private DNS zone has been done. Also, the VPN client itself is correctly configured and functional enough to connect to the network.
Here some suggestions to find a solution for your issue:
nslookup <your-private-aks-endpoint> <dns-server-ip>
Finally, ensure there are no firewall rules blocking DNS traffic between your VPN client and the private DNS zone. Firewalls can sometimes restrict traffic even when everything else seems to be properly configured.
References:
If the information helped address your question, please Accept the answer.
Luis
Hi Luis,
Thanks for getting back to me
I am on Mac and using Azure VPN client which has split tunneling by default
nslookup aks-dev-xxxxxxx.privatelink.canadacentral.azmk8s.io 168.63.129.16connection timed out; no servers could be reached
Thanks and please let me know what else I can try
Amandeep
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
To add DNS suffixes, modify the downloaded profile XML file and add the <dnssuffixes> private DNS zone name and then import.
https://learn.microsoft.com/en-us/azure/virtual-wan/azure-vpn-client-optional-configurations
Private DNS Zones in Azure do not automatically propagate DNS settings to P2S VPN clients, you need to configure your own DNS proxy/forwarder.
Please find the workaround followed here for more detailed information: https://learn.microsoft.com/en-us/answers/questions/39571/not-resolving-private-dns-zone-over-point-to-site
If the information is helpful, please click on "Upvote"
If you have any queries, please do let us know, we will help you.
Hi Markapuram
I tried with below but result is still same
<clientconfig>
<dnssuffixes>
<dnssuffix>privatelink.canadacentral.azmk8s.io</dnssuffix>
</dnssuffixes>
</clientconfig>
Added that block in XML and re-import in Azure VPN Client on my Mac
Then reconnected
nslookup aks-dev-xxxxxxx.privatelink.canadacentral.azmk8s.io
Server: 8.8.8.8
Address: 8.8.8.8#53
Seems like it's still taking DNS as 8.8.8.8 and not resolving even with dnssuffix
Let me know what can I do next
Sincerely,
Amandeep
Hello Amandeep Sadioura,
It looks like the core issue is that Azure DNS (168.63.129.16) isn’t reachable from P2S VPN clients, which is expected behavior. Adding a <dnssuffix> alone won't help if the DNS server being used is still 8.8.8.8.
You can try to resolve this by following the below steps once-
Once done, reconnect your VPN and nslookup for the AKS private endpoint should succeed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 99%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
@Amandeep Sadioura We noticed that we haven't received a response to our previous message regarding the DNS issue with your private AKS cluster in the VPN. We wanted to follow up everything is clear and to see if you were able to try the suggestions provided, such as setting up a DNS forwarder or modifying VPN
Your input will help us proceed with the next steps. If you need any further assistance with the setup or troubleshooting please let us know we are here to help and happy to assist with any questions you may have.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 82%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Based on your nslookup result, the DNS resolution is not happening correctly.
Note: 168.63.129.16 is a special Azure internal DNS IP that is only accessible by Azure VMs. VPN Client users cannot use 168.63.129.16 for DNS resolution.
To resolve the issue, you may use one of the following methods.
Path of local Hostfile : C:\Windows\System32\drivers\etc
10.224.0.4 bda7ddb4-662a-4776-945b-d40289bcfb86.privatelink.eastus.azmk8s.io
10.224.0.4 demo-aks-aks-rg-98bcca-v140dnbh.hcp.eastus.azmk8s.io(API Server)
Hostname.
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.
I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.