I'm in the middle of a discussion about handling DNS for Azure Private Links, especially since we have a complex setup with multiple Azure subscriptions and a hub that's our local office data center. Our core company connects various acquired companies and data centers with Megaport, which is similar to ExpressRoute but allows communication across different clouds and on-prem locations.
We currently use Private Links for Azure SQL and need to establish connections from on-premises resources to these Private Links. The challenge is that we need to use Fully Qualified Domain Names (FQDN), requiring DNS records. The usual solution would be to set up a DNS forwarder for the zone privatelink.database.windows.net. However, I'm concerned about relying on a single private DNS responder since the Private Link could be in different environments. It seems my only option is to keep DNS records updated in various locations, which feels cumbersome. I'm looking for advice on how others manage this kind of setup.
2 Answers
I suggest establishing a central hub for your DNS resolver and zones, linking everything to it. This way, you avoid the complications from having multiple overlapping private link zones. It streamlines your management significantly.
That makes sense, but many of the tenants already have their own DNS setups, so centralizing might not be viable. I'm thinking of creating additional zones in each tenant instead, like COMPANY.privatelink.database.windows.net, to manage FQDNs more easily.
Honestly, these types of questions make me feel like I'm not cut out for architecture! I’d love to find a more efficient solution since managing updates in multiple places isn’t ideal. If I had to do it, a central management tool would be a must, even if I had to develop it myself.
It’s definitely a tricky situation with no clear-cut solution, only various pros and cons. While Azure DNS private zones are great for handling Azure resources, the real challenge lies in managing the .privatelink endpoints from other networks. I'm considering managing the DNS at the hub and locally within Azure DNS instead of relying on forwards, but I'd love to hear more ideas from others.
If you’re working with Windows DNS, consider using Active Directory Integrated zones. It could help manage the DNS better across different environments.