I'm working with an Azure Virtual Network that uses a custom on-prem DNS server and I've set up a Site-to-Site VPN connection between my on-prem environment and Azure. I've created Private Endpoints, along with Private DNS zones and VNet links for my Storage Accounts (specifically the dfs subresource) and a Key Vault. My Private DNS zones have A-records for the Private IPs. Now, I need help figuring out how to configure my on-prem DNS server so that clients can resolve the private endpoint FQDNs (like mystorageaccount.dfs.core.windows.net) to the appropriate Azure private IPs. Importantly, I want to accomplish this without using an Azure DNS forwarder VM or Azure DNS Private Resolver. Any suggestions?
5 Answers
Just a thought: to ease your life a bit, even a minimal Azure VM could serve as a DNS server that communicates with the Azure side. It wouldn't be costly, and it simplifies the whole process of name resolution.
You'll need to set up conditional forwarders on your on-prem DNS for it to resolve Azure private endpoints. However, it's tricky because without a VM in Azure or a Private Resolver, the conditional forwarder won't reach the Azure DNS servers, which are required for resolution to work properly.
Exactly! An on-prem forwarder won't be able to reach the Azure wire server directly.
I'd suggest creating a zone in your on-prem DNS and manually entering the records for your private endpoints. This way, you can resolve the FQDNs without needing Azure's infrastructure, though it does require more upkeep.
You might also want to set up the private endpoints using static IP addresses and just keep your DNS records updated. It works well for less frequent changes.
Alternatively, using a host file could work for a fixed FQDN to IP mapping, but make sure you know it can't reach the private DNS zone without Azure forwarders.
To resolve private zones from non-Azure machines, you generally need some form of DNS forwarder in Azure that can connect with the wire server. If you're determined not to use Azure DNS, consider manually duplicating those private zones on your local DNS server.
Another option would be to explore the Azure Private Resolver. It integrates well with custom DNS setups and doesn't require a full-on VM if configured correctly. Check out the docs for a clearer idea.
Conditional forward to what, though? The original poster mentioned they want to avoid using a VM or Private Resolver.