I'm working with an Azure VNet that uses a custom DNS server on-premises. I have a site-to-site VPN set up between my on-prem environment and Azure, and I've created private endpoints along with private DNS zones and VNet links for services like Storage Accounts (specifically for the dfs subresource) and a Key Vault. My private DNS zones already have A-record entries for their private IPs. What I'm trying to achieve is having my on-prem clients resolve the private endpoint FQDNs (like mystorageaccount.dfs.core.windows.net) to the correct Azure private IPs without resorting to using an Azure DNS forwarder VM or Azure DNS Private Resolver. Can anyone guide me on how to configure my on-prem DNS server for this?
5 Answers
You'll need to use conditional forwarders on your on-prem DNS to redirect queries to the necessary Azure DNS resources.
Conditional forward to where? The question specifically mentions avoiding a VM in Azure or using the Private Resolver.
For non-Azure systems to resolve private DNS zones in Azure, you actually need some sort of forwarder in Azure. Direct communication with the Azure wire server won’t work from non-Azure machines. You could also just create duplicates of those zones in your local DNS server if you're set on avoiding Azure DNS.
You should create a zone in your on-prem DNS and manually add the private endpoint records for the Azure resources that you need.
I agree with the previous point of view. By not allowing a VM in Azure to act as your DNS server (or avoiding the Private Resolver), you're just complicating things. You could set up a low-spec VM in Azure that would cost next to nothing, which can communicate with the wire server.
Another approach is to set up your private endpoints with static IP addresses and then manually add DNS records in your on-prem environment. This way, if you're not frequently adding new private endpoints, it could work out just fine, though it does require manual updates.
Just a heads up, a conditional forwarder from an on-prem machine might not reach the Azure wire server.