I'm having trouble with DNS conditional forwarding from my on-premises setup to Privatelink endpoints in Azure. We have a hub/spoke configuration where the hub features a VPN gateway for incoming access from our production environment. The resources like storage and app services in Azure are housed in a spoke account, all configured with Privatelink. While DNS resolution functions correctly in the spoke through the Azure DNS (IP: 168.63.129.16), my goal is to set up conditional forwarders on-prem to resolve the Privatelink addresses, aiming to handle DNS resolution in the hub instead. This way, I avoid sending requests to the spoke, especially since more resolvers for various Privatelinks might be needed in the future.
Initially, I removed the spoke's DNS configuration under the private DNS integration and added it under the hub's subscription, which worked for on-prem DNS resolution but broke things in the spoke. After reverting this change, I attempted to add a Virtual Network Link (VNL) within the Privatelink zone configuration, where I've linked both the spoke and hub virtual networks. The latter approach showed some promise, yet I still can't get consistent results across all resource types (storage, app services, SQL, etc.). Can anyone guide me on the best way to set this up in a new Azure environment? I apologize if I'm misusing any Azure terminology; I'm still learning!
4 Answers
A private DNS resolver can be a game changer! It’s also beneficial to use Azure Policy to manage the registration of your private links so that everything stays organized.
Just a heads up, 168.63.129.16 isn't accessible from outside of Azure. That's why a DNS resolver within Azure is key!
For your scenario, having a DNS resolver is definitely crucial.
It sounds like you need a DNS resolver set up in your hub VNet. Make sure that the private DNS zones are under the hub subscription and linked to the hub VNet, as well as any other VNet that requires access to them. You might want to configure the DNS of the VMs in those VNets to point to your private resolver, which can forward requests back to on-prem as needed. Don't forget to set your conditional forwarders to point to the resolver's private IP for the necessary zones.
It's usually better to deploy the DNS resolver on a different network. Use the hub solely for Network Virtual Appliances (NVA) and VPN Gateways (VNG) since you'll need a special route to handle DNS traffic instead of just using 0.0.0.0/0.
Totally agree, that's the way I've managed mine too!