Notes from MS Learn AZ-700 Module 7: Design and Implement Private Access to Azure Services – Unit 4: Integrate Private Endpoint with Domain Name Service
Private DNS zones typically hosted in same subscription where hub VNet deployed. Central hosting practice is recommended for cross-premises DNS resolution. Most cases – only networking and identity admins have permissions to manage DNS records
- Azure Private Endpoint DNS Configuration
- Below diagram show typical high-level architecture for enterprise env with central DNS.
- Name resolution for Private Link resources done via Azure Private DNS
- (Image taken from MS Learn)
- Highlights of diagram
- On-prem DNS servers have conditional forwarders configured for each Private Endpoint
- DNS servers in hub VNet use Azure DNS resolver as forwarder
- All VNets have DNS forwarders configured as primary/secondary DNS servers
- DNS records follow lifecycle of Private Endpoint
- Significance of IP Addr 168.63.129.16
- VIP (public) that facilitates communication channel to Azure platform resources
- Enables VM Agent to communicate with Azure platform to signal that it is in a “Ready” state
- Enables communication with DNS virtual server providing filtered name resolution – Filtering ensures customers can resolve only hostnames to their resources
- Enables health probes from load balancer to determine health state of VMs
- Enables VMs to obtain dynamic IP addr from DHCP service in Azure
- Enables heartbeat messages for PaaS role
- VIP (public) that facilitates communication channel to Azure platform resources
- DNS Configuration Scenarios
- FQDN of services resolves automatically to public IP. To resolve to private IP of Private Endpoint, change the DNS config
- DNS is critical component to make app work correctly by successful resolution of Private Endpoint IP
- Based on prefs follow these scenarios (taken from MS Learn site)
- On-prem workloads using DNS forwarder
- For on-prem workloads to resolve FQDN of Private Endpoint use DNS forwarder to resolve Azure service public DNS zone
- A DNS forwarder is VM running on VNet linked to Private DNS Zone
- Query must be originated from VNet to Azure DNS
- Proxy options include
- Windows DNS
- Linux DNS
- Azure FW
- Diagram below illustrates DNS resolution sequence from on-prem
- Configuration uses DNS forwarder in Azure
- Resolution made by private DNS zone linked to VNet
- (Image taken from MS Learn)
- Configuration needs
- On-prem network
- VNet connected to on-prem
- DNS forwarder in Azure
- Private DNS zones privatelink.database.windows.net with A record
- Private Endpoint info (FQDN record name with private IP)
- Virtual Network and On-prem workloads using Azure DNS Private Resolver
- When using DNS Private Resolver – you don’t need DNS forwarder VM.
- Azure DNS is able to resolve on-prem domain names
- Below diagram uses DNS Private Resolver in hub-spoke topo
- Best practice: Azure landing zone design pattern recommends using this type of topo
- Hybrid net connection established using Azure ExpressRoute and FW
- Provides secure hybrid network
- DNS Private Resolver is deployed in hub network
- (Image taken from MS Learn)
- Reference Links taken from MS Learn
- Review the DNS Private Resolver solution components
- Review the traffic flow for an on-premises DNS query
- Review the traffic flow for a VM DNS query
- Review the traffic flow for a VM DNS query via DNS Private Resolver
- Review the traffic flow for a VM DNS query via an on-premises DNS server