I'm working on a small home lab to sharpen my networking skills and need some guidance to successfully configure a Hub and Spoke model. I currently have two Virtual Networks (VNets): a Hub VNet and a spoke VNet (vnet1). In the Hub, I have a Network Virtual Appliance (NVA) VM set up primarily for traffic management. The Hub VNet and vnet1 are connected via VNet peering.
Inside vnet1, there's a Storage Account linked to a Private Endpoint. When I link the Private DNS Zone to the Hub VNet, everything functions smoothly, allowing me to access the Storage Account directly from the Hub VM.
However, I'm concerned about scalability as I plan to add more spoke VNets in the future. Every time I create a new spoke VNet, I'd have to manually link the Private DNS Zone, which seems tedious. That's why I'm considering using Azure DNS Private Resolver.
My plan is to set up the DNS Private Resolver in the Hub VNet, focusing on creating only the Inbound Endpoint, along with a rule to link it to the Private DNS Zone and the IP of the Storage Account. This way, new spoke VNets should automatically resolve DNS without needing to link the Private DNS Zone repeatedly.
However, a tool I consulted suggested that an Outbound Endpoint with rulesets is mandatory. I believe I don't need an Outbound Endpoint since my goal is internal DNS resolution. Please let me know if I'm misunderstanding something in this approach!
4 Answers
Consider using your NVA in the Hub for DNS resolution. If you're not needing to forward to an on-prem DNS setup, then the Private DNS Resolver may not be necessary at all. Just ensure your storage account's Private DNS Zone is linked only to the Hub; the spoke VNets can reference it directly.
This is a great chance to experiment with Infrastructure as Code! Try managing the linking of DNS more efficiently through scripts if you end up needing to connect multiple Vnets often. Azure tools can help automate this process.
You don't need an Outbound Endpoint for internal DNS resolution in your setup. As long as you link your VNet to the Private DNS Zone, the inbound configuration should be enough. Just ensure your DNS settings on the spoke VNets point to the Inbound Endpoint of your Private DNS Resolver.
Linking the Private DNS Zone to each VNet is actually the right approach for consistency. The Private DNS Resolver is mainly needed for hybrid setups where on-premises DNS integration is required. In your fully Azure setup, it might just complicate things.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux