I'm working with a hybrid hub and spoke architecture in Azure, connected to on-premises via ExpressRoute. We have Azure Firewall (AZFW) in the hub with DNS proxy enabled. Currently, we've replicated our on-premises Windows DNS servers into a spoke, and all spokes use these replicated servers, while the hub uses Azure DNS. The AZFW DNS proxy is also set to use Azure DNS. For resolving private endpoints, our Windows DNS servers have conditional forwarders pointing to the private IP of the Azure Firewall, which seems to be functioning well. However, I'm facing issues because Azure Firewall can't resolve any internal domains, leading to failures in application and network rules with internal FQDNs. I'm inclined to implement a private DNS resolver but can't find sufficient documentation regarding its use with the firewall DNS proxy. After much research and discussions with AI tools, I'm considering configuring every VNet to utilize custom DNS settings, pointing them to the Azure Firewall's private IP. The firewall's DNS proxy would also point to this custom private IP, and all conditional forwarders would be set to the private resolver's IP, with resolver rules for directing internal domains to the DNS servers. I would also establish virtual network links from the hub to all private DNS zones for PaaS private endpoints. Does this approach seem correct? It's frustrating that Microsoft doesn't seem to recommend this explicitly even though the AZFW DNS proxy needs to be enabled for application rules. Why is there a lack of documentation around this if it's the advised architecture?
2 Answers
Honestly, if you're reaching out for help with this setup, it might be a sign that your architecture is getting a bit too complex. Simplicity often leads to better manageability. What aspects of your design do you think could be streamlined?
You're on the right track! It sounds like you're correctly thinking about using custom DNS configurations across all your VNets. In our setup, we also direct everything to our domain controllers for DNS, which then forwards to our private DNS resolvers in the hubs for Azure's private DNS zones, and it works really well. Just make sure all your DNS clients are pointed to the firewall's DNS proxy to avoid resolution issues.
Are you using Azure Firewall as well? I found this specific recommendation that might help: [link](https://learn.microsoft.com/en-us/azure/firewall/dns-details#clients-not-configured-to-use-the-firewall-dns-proxy). It outlines how to set it up correctly!
I'm all for simplicity, but I need to ensure it meets our specific requirements. What would you suggest to make this architecture simpler while still aligning with best practices?