Connecting to Azure backend services (storage/sql/cosmos etc.) from inside the mesh


I’m trying to understand the following scenario:

  • I have a private AKS cluster, with Azure CNI and UDR mode, with Consul Mesh enabled
  • deny-all service intention is in effect
  • individual service intentions permit traffic between individual services
  • pods connect to backend storage running in Azure (storage account(s) etc)
  • backend connectivity is enabled via private-endpoints, public endpoints are blocked

How do I configure consul in order to achieve this sort of connectivity?
Without the consul mesh, a service queries the DNS for the hostname of the storage account instance, and the Azure DNS resolver returns the private-endpoint’s IP address. What needs to be done in order to properly configure consul to permit outbound connectivity to the said backends?