IOT DNS request for BLOB storage connection

Question

IOT DNS request for BLOB storage connection

Joseph Castelnovo 0

I am trying to figure out how an on prem IOT with private IP does the initial connection to connect to blob storage. It is behind a NAT gateway to the Internet.

I read IOT devices built to use AZURE Blob Storage have a preconfigured DNS address 168.63.129.16. The Azure private resolver What DNS resolution request is being sent from the IOT to the resolver. (something) [hostname].blob.core.windows.net:443 ssl. The Azure private resolver returns what ? A configuration message that provides hostname, connection logon information ?

I am lost on how the connection proceeds. Some SSL tunnel that connects to an AZURE Private IP configured by the Tennent. So no traffic ever has access to the Internet.

Pranitha Maddi 5 Reputation points Microsoft External Staff Moderator

2025-07-31T07:07:34.91+00:00
Hi Joseph Castelnovo ,

Thanks for your question on the Microsoft Q&A portal!

It sounds like you're trying to understand how your on-premises IoT device connects to Azure Blob Storage while behind a NAT gateway.

Here is the Step-by-step breakdown of the connection flow:

Here’s how the connection from the IoT device to Azure Blob Storage works, even with the NAT gateway in place.

Step 1: IoT Device DNS Resolution (Private Resolver)

The IoT device, being on a private network, needs to resolve the domain name for Blob Storage (e.g., yourstorageaccount.blob.core.windows.net).

It sends a DNS request to the Azure Private DNS Resolver at IP address 168.63.129.16. This request is for resolving the Blob Storage domain. DNS Request Example:

Requested Domain: yourstorageaccount.blob.core.windows.net

DNS Server: 168.63.129.16

Step 2: Azure DNS Resolver (Private Resolver)

Azure’s DNS resolver does not use public internet DNS. Instead, it checks if the requested service is available via Azure's private IP space.

If the requested Blob Storage endpoint is part of the private Azure network, the resolver responds with a private IP (which is only accessible from within the Azure network or via a VPN/ExpressRoute). The DNS response might look like:

Private IP Address: 10.x.x.x (private network IP in Azure, part of the same region)

The IoT device gets this private IP instead of a public IP address.

Step 3: Establishing the SSL Tunnel

Now that the IoT device has resolved the Blob Storage’s private IP address from the DNS request, it will initiate an SSL/TLS connection to that IP over port 443 (standard HTTPS port).

This connection is secure and encrypted, meaning your IoT device communicates directly with Azure Blob Storage using SSL over the private IP.

Step 4: NAT Gateway Handling Outbound Traffic

Since your IoT device is behind a NAT gateway, it will use the gateway to route its outbound traffic to the internet. The NAT gateway translates the private IP of the IoT device to a public IP address (making it possible for the IoT device to communicate with Azure, but still without directly exposing the device to the internet).

This means, even though the device is behind a NAT, the device still sends traffic to Azure Blob Storage securely via the private IP assigned by the Azure resolver. The key point: no inbound traffic can reach your IoT device directly because of the NAT Gateway, but the outbound traffic (from the IoT device to Azure Blob Storage) is allowed.

Step 5: Blob Storage Connection Established

The IoT device establishes a secure SSL connection to Azure Blob Storage without ever needing to use a public IP address.

Communication with the Blob Storage happens over the private IP, avoiding internet exposure while using the SSL tunnel for security.

Here is the detailed answer which is asked in the question("The Azure private resolver returns what ? A configuration message that provides hostname, connection logon information ?)

if you’re using Azure DNS Private Resolver, it acts as a bridge between your on-prem DNS and Azure’s private DNS zones. It:

Accepts DNS queries from your on-prem network

Resolves them using Azure’s private DNS zones

Returns the private IP of the endpoint

No configuration messages or credentials are returned via DNS—just IP addresses.

Would you be open to sharing an update or letting me know if further clarification or assistance would be helpful?

Thank you again for your time. I’m happy to continue supporting you—your experience and insights can also benefit others in the community.

Thanks,

Pranitha
Joseph Castelnovo 0 Reputation points

2025-07-31T11:24:45.9866667+00:00

So how does it authentic. I have to pay the vendor for for the storage. How is my name or account -tennent passed from the iot-camera to storage is the tennent the vendor of the camera or myself. Thanks...Joe

1 answer

Your answer

Joseph Castelnovo 0 Reputation points

2025-07-31T11:24:45.9866667+00:00

So how does it authentic. I have to pay the vendor for for the storage. How is my name or account -tennent passed from the iot-camera to storage is the tennent the vendor of the camera or myself. Thanks...Joe

Answer 1

Manas Mohanty 8,150 Microsoft External Staff Moderator

Hi Joseph Castelnovo

It seems you are trying to pass data from on-prem data with a private IP to Azure Storage.

We normally add the IOT devices through device connection string or X-509 or symmetric keys to destined Storages

But it won't be straight forward as you have private IPs on your Prem IOT device so you would be needing to secure your storage and IOT Hub with private endpoints.

and setup a conditional forwarder or DNS resolver on prem-DNS server to foreword the queries to Azure DNS server to look up private Ips for respective storage and IOT Hubs

You also need modify to outbound traffic in your NAT Gateway or Network security group or firewall to allow outbound connection to Storage and IOT Hub private IPs.

Once DNS resolution happens on storage and IOT hub with outbound traffic allowed on your on prem NAT Gateway, you send traffic to destined storage

Sample Diagrams from on Prem IOT to Private Azure Storage

generated_image

Sample Diagram on Custom DNS from Azure ML (for Explaining DNS server and conditional forwarding to Azure DNS server)

Diagram of custom DNS hosted in Azure topology

Reference

Register devices in IOT hub

Route data from IOT hub to storage

Custom DNS for Azure ML (for understanding on prem DNS server and conditional forewarding)

Troubleshoot connection to devices

Hope it gives the needed clarity on routing query from devices with on prem private IP to Azure private resources.

Thank you

Manas Mohanty 8,150 Reputation points Microsoft External Staff Moderator

2025-08-07T01:53:13.03+00:00

Hi Joseph Castelnovo

Just wanted to emphasize that you might need to set up a p2s or s2s VPN connection to be in azure virtual network.

There should be a on prem DNS server looking for private ips of storage and IOT Hub.

We should have storage declared as routing endpoint from IOT hub and on prem IOT hub should be using device connection string or X509 or symmetric key to communicate with IOT hub.

Thank you
Manas Mohanty 8,150 Reputation points Microsoft External Staff Moderator

2025-08-08T01:33:34.3166667+00:00

Hi Joseph Castelnovo

We could not hear from you. Hope you found the above explanation useful.

Thank you
Joseph Castelnovo 0 Reputation points

2025-08-08T12:19:28.3266667+00:00

Yes, Thanks, Thi IOT device/camera is pretty dumb, not much you can configure. I do not know all the details. Still researching
Manas Mohanty 8,150 Reputation points Microsoft External Staff Moderator

2025-08-11T07:10:42.21+00:00

Hi Joseph Castelnovo

You can use Azure IOT edge to enroll a IOT Devices for the Supported Platforms https://learn.microsoft.com/en-us/azure/iot-edge/how-to-deploy-at-scale

Thank you.

Share via

IOT DNS request for BLOB storage connection

1 answer

Your answer