Azure Hybrid DNS architecture

I recently assisted a client who needed to access their Azure resources via private endpoints from their on-premises offices. To enable this, I implemented a hybrid Azure DNS solution. This solution facilitates seamless integration and management of DNS resolution between on-premises resources and Azure-hosted resources, ensuring smooth connectivity to private endpoints.

Azure DNS Infrastructure dependencies:

1. Private DNS Zones: When you create a Private Endpoint, it uses Azure Private DNS Zones to resolve the private IP address of the endpoint. This ensures that DNS queries for the private endpoint are resolved within your virtual network.
2. Azure Private Resolver: For on-premises workloads, the PaaS Azure Private Resolver can be used to facilitate DNS resolution. This resolver is integrated with your on-premises DNS infrastructure, allowing seamless name resolution for private endpoints.
3. Canonical Name (CNAME) Records: Azure creates CNAME records on the public DNS to redirect resolution to the private domain name. You can then override this resolution with the private IP address of your private endpoint.
4. Network Interface Information: The network interface associated with the Private Endpoint contains the necessary information (FQDN and private IP addresses) for DNS configuration.

Prerequisites:

Azure Private Link allows you to connect to various PaaS services in Azure via a private endpoint.

For a list of PaaS services that support Private Link functionality, go to the Private Link Documentation page.

Step 1 – Provision the private endpoints on your Azure SQL Server. Identify / configure the manual or automatically designated internal ip address being assigned, example 10.29.2.5.

Remember that when provisioning a private endpoint, public access to your resource is NOT automatically denied. You still need to go to Firewall and enable the Deny public network access.

Step 2 - Provision your private DNS zones which are used to resolve the DNS names of your private endpoints.

Deployment:

These steps can be followed in conjunction with the diagram.

Step 1 - Your on-premises end user submits a DNS query for sqlsvr-x.database.windows.net to the designated on-premises DNS servers that hosts the clients local DNS zone.

Step 2: Configure your on-premises internal DNS servers with a forwarding rule for requests to database.windows.net. When the on-premises DNS server receives a DNS query for database.windows.net, it checks the conditional forwarding rules and forwards the query to the Azure DNS Private Resolver inbound connection endpoint.

Step 3 - The Azure DNS Private Resolver forwards the DNS query to the Azure DNS servers at 168.63.129.16. This custom DNS server address must be added onto the Azure virtual networks.

Step 4 - The Azure DNS server forwards the DNS query to an authoritative Azure DNS recursive resolver server to resolve the host name for sqlsvr-x.database.windows.net in the respective DNS virtual network.

Step 5 - The Azure DNS servers will identify the pre-created private endpoint and returns a DNS response with the address sqlsvr-x.PRIVATELINK.database.windows.net.

#Azure creates a canonical name DNS record (CNAME) on the public DNS for the private link. The CNAME record redirects the resolution to a private domain name. You can override the resolution with the private IP address of your private endpoints.

#Connection URLs for your existing applications don't change. Client DNS requests to a public DNS server resolve to your private endpoints. The process doesn't affect your existing applications.

Step 6 - The Azure DNS server performs a DNS query against sqlsvr-x.PRIVATELINK.database.windows.net in the Azure Private DNS zone.

Step 7 - The Azure Private DNS zone replies with the internal ip address of the private endpoint in the DNS response and sends it to the Azure DNS Private Resolver.

Step 8 - The Azure DNS Private Resolver receives a DNS CNAME response of sqlsvr-x.PRIVATELINK.database.windows.net with the internal ip address of 10.29.2.5.

Step 9 - The Azure DNS Private Resolver sends a response back to the on-premises DNS servers with the DNS reply contiaining the DNS CNAME response of sqlsvr-x.PRIVATELINK.database.windows.net with the associated internal ip address of 10.29.2.5.

Step 10 - The on-premises DNS servers reply to the on-premises end user who submitted the initial DNS query for sqlsvr-x.database.windows.net with the DNS CNAME response of sqlsvr-x.PRIVATELINK.database.windows.net with the internal ip address of 10.29.2.5

Step 11 - The client is then able to connect directly to sqlsvr-x.PRIVATELINK.database.windows.net with the internal ip address of 10.29.2.5 using the hybrid site-to-site vpn link.

Key Points

• Integration with Azure DNS: Private Endpoints are designed to work seamlessly with Azure's DNS infrastructure, ensuring that DNS queries are resolved correctly within the private network.
• Simplified DNS Configuration: By leveraging Azure DNS, you don't need to set up a custom DNS solution. The Azure DNS service manages and resolves domain names in your virtual network and connected networks.
• Conditional Forwarding: For on-premises DNS servers, conditional forwarding rules can be set up to direct DNS queries for private endpoints to the Azure DNS infrastructure.