Azure Private Endpoint and Private DNS Zone Integration
Overview
When you’re connecting to a private link resource using a fully qualified domain name (FQDN) as part of the connection string, it’s important to correctly configure your DNS settings to resolve to the allocated private IP address. Existing Microsoft Azure services might already have a DNS configuration to use when connecting over a public endpoint. This configuration needs to be overridden to connect using your private endpoint.
The network interface associated with the private endpoint contains the complete set of information required to configure your DNS, including FQDN and private IP addresses allocated for a particular private link resource.
You can use the following options to configure your DNS settings for private endpoints:
- Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
- Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a particular private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
- Use your DNS forwarder (optional). You can use your DNS forwarder to override the DNS resolution for a particular private link resource. If your DNS server is hosted on a virtual network, you can create a DNS forwarding rule to use a private DNS zone to simplify the configuration for all private link resources.
System Diagram
In this article, we will focus on private endpoint DNS configuration, and explore the integration between web app private endpoint and private DNS zone.
For resource provisioning, please refer to https://cloudjourney.medium.com/azure-web-app-slots-and-private-endpoint-e4c49bdb49cd
Integration
In this example configuration, in order to resolve web app FQDN to private IP, you need to manage A record in private DNS zone privatelink.azurewebsites.net. This zone is shared across all web apps which need to enable private endpoint.
Typically privatelink.azurewebsites.net private DNS zone is centralize managed, but there are many different users own or mange their own app services.
Private endpoint’s private DNS zone integration feature allows app service developer to define the DNS configuration for the private endpoint, and does not require developer to have direct A record management permission on the private DNS zone.
App service developer just needs private DNS zone join permission in order to integrate with private DNS zone, the developer does not have permission to directly add, update or delete A record, including their own FQDN or any other user’s app service FQDN.
More specifically “Microsoft.Network/privateDnsZones/join/action” for join with private DNS zone, and “Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write” for add DNS configuration to private endpoint.
testuser1 has one web app in subscription A, private endpoint is also created.
testuser1 does not have permission add or delete A record, does not have permission to add vnet link.
testuser1 is able to add DNS configuration for app service private endpoint.
After DNS configuration is added, the app service FQDN A records are added to privatelink.azurewebsites.net, including site FQDN and scm FQDN.
By the way, private DNS zone is global resource, it can manage A record for private endpoint of any regions. You wouldn’t need zone in a specific region or zone per region.
Private DNS integration can be added at same time when creating private endpoint via Azure portal. You may select an existing zone from different subscription.
App service user or developer is also able to retire private endpoint and its DNS configuration as well, when delete the DNS configuration, the corresponding A records are removed automatically.
Now let’s delete the DNS configuration from private endpoint.
Conclusion
In this article we explored the private endpoint and private DNS zone integration, RBAC permission, adding or deleting DNS configuration.
You are be able to separate duty, private DNS zone contributor is able to administrate the zone, and app service developer is able to manage private endpoint FQDN DNS record without requiring contributor permission on the zone itself.
Private DNS zone is global resource, it can manage A record for private endpoint of any regions. You wouldn’t need zone in a specific region or zone per region.
Reference
