Azure DNS Private Resolver

I recently assisted a client in provisioning a greenfield Azure DNS Private Resolver solution.

The objective of this deployment was to simplify the architecture and minimize the administrative burden. To achieve this, I advised the client to centralize the provisioning of all Azure PaaS private endpoints within the same virtual network as the Azure DNS Private Resolver deployment.

#Ive added links to 2 PowerShell scripts in the article for faster deployment#

There are advantages of following this simplistic design:

#1 Security – Restricting the IAM of the resource group to the DNS security group minimizes the risk to DNS artifacts, private endpoints, or the private resolver platform.

#2 No RuleSet Rules – When private endpoints are provisioned on the same VNet as the Azure Private DNS Resolver, there's no need to create rules in your RuleSet. Avoid creating rules that loop back onto the same inbound endpoint on the same VNet, as this will result in DNS resolution loops. Don’t do it.

#3 Virtual Network Links – Since private endpoints are on the same Azure DNS Private Resolver virtual network, you only need to create one virtual network link referencing the HUB virtual network where the Azure Private DNS Resolver resides. Your DNS queries originate and resolve on the same virtual network.

#4 Spoke VNets:

• Custom DNS: The spoke VNets will reference the HUB VNet via their custom DNS. The spoke VNets must update their custom DNS server list with the Azure DNS Private Resolver inbound endpoint IP placed at the top of the list.
• Peering: The spokes need to be peered to the Azure DNS Private Resolver HUB virtual network.

#5 Azure DNS Private Resolver "HUB" Vnet – The Azure DNS Private Resolver virtual network custom DNS server list must be updated with the Azure DNS ip address 168.63.129.16.

#6 On-Premises DNS – each Azure domain record being queried needs to be added as conditional forwarders.

#7 Administrative Burden - By placing the private endpoints on the same virtual network as the Azure DNS Private Resolver, the administrative burden is reduced, as Azure DNS RuleSet rules no longer need parallel updates.

Deployment

Step 1 - Subscription

Select a subscription that will be used for the Azure DNS Private Resolver.

Step 2 - Resource Groups

Create three dedicated resource groups with locks:

DNS HUB virtual network infrastructure resource group

Private endpoints resource groups (could create separate resource groups based on environment / projects etc)

Azure Private DNS Resolver resource group

Step 3 - Deploy Hub virtual network

#(The following can be deployed using my PowerShell)

Provision a Hub virtual network that will be used to provision the Azure Private DNS Resolver.

The virtual network will consist of three subnets:

Subnet 1: Dedicated to the Azure-Private-Resolver-Endpoint-Inbound

* Identify the first usable ip address that will be assigned to the inbound ip address. You will be statically assigning this DNS endpoint.

Subnet 2: Dedicated to the Azure-Private-Resolver-Endpoint-Outbound

Subnet 3: Dedicated to Private-Endpoints

#Custom DNS server list: If you are provisioning private endpoints on the same vnet as your Azure Private DNS Resolver, configure the Azure Private DNS Resolver "HUB" virtual network 1st custom DNS server entry with the Azure DNS ip address 168.63.129.16

Spoke 4 - Peering Spoke virtual network

Configure peering between the HUB and Spoke virtual networks. Peering (in combination with custom DNS) avoids having to configure virtual network links in the Azure Private DNS Resolver virtual network links each time.

Step 5 - Spoke virtual networks DNS

Insert the Azure DNS Private Resolver inbound ip as the 1st custom DNS ip address on each spoke vnet.

##Since you wont have the Azure DNS Private Resolver inbound ip deployed as yet, this will be based on your planning of the allocated static ip in the dedicated inbound subnet##

Configure the spoke network with the APR inbound endpoint.

Step 6 - Azure Private DNS Resolver

#(My PowerShell script will deploy the following for you, namely:

an Azure DNS Private Resolver with Inbound and Outbound endpoints, a RuleSet and a virtual network link),

#1 Provision the Azure DNS Private Resolver resource,

#2 Provision the Inbound Endpoint,

#3 Provision the Outbound Endpoint,

Configure the Inbound endpoint with a static IP address,

Step 7 - Azure DNS forwarding ruleset

The RuleSet will link to the Azure Private DNS Resolver outbound endpoint which is used to make the DNS queries

Provision the RuleSet,

RuleSet Name: "Azure-DNS-Forwarder",

Linked to the correct region,

Link to the Azure Private Resolver outbound endpoint,

<#When you provision private endpoints on the same vnet as your Azure DNS Private Resolver, then point the Virtual Network Link only to the HUB vnet. The spokes will reference the Azure DNS Private Resolver via their custom DNS inbound endpoint ip#>

Verification

After deploying your Azure DNS Private Resolver , you can logon to a virtual machine in a configured (as above) spoke vnet and run a telnet test to ensure that you can connect to the Azure Private Resolve inbound endpoint.

Step 8 - Private Endpoints

Provision the private endpoints into the dedicated resource group and dedicated subnet on the Hub virtual network.

?

Step 9 - Private Hosted Zone

Configure the private hosted zone into a dedicated private endpoints resource group per your business environment.

?

Step 10 - On-premises DNS server

Configure the conditional forwarders custom DNS zones and point them to the Azure DNS Private Resolver inbound endpoint

Step 11 - Testing

In a spoke / on premises environment, test with

nslookup <name>.domainname

and

resolve-dnsName

delete1al.database.windows.net

You are expecting to the get the DNS resolution of the private link ip address.