The Scenario

For many of you that have been working in Azure over the years, you have likely had the need or desire to secure access to your Azure resources through private endpoints. While it is easy to stand up resources through the Azure Portal and access them natively over the public internet, concerns over privacy and security warrant securing them with network ACL’s and establishing private endpoints. If you have deployed private endpoints and are using Windows or Linux servers as DNS forwarders, skip down to the “The Solution."

A private endpoint is a network interface on your Azure virtual network. It allows for private access to Azure services through the Microsoft Azure network versus the internet. This access can then be extended to your on-premises network through Express Route or Site-to-Site VPN connections.

The Challenge

One challenge with private endpoints is DNS name resolution. When a private endpoint is established for a resource, Azure updates the public DNS CNAME record to an alias in the relevant privatelink subdomain (for a full list see Azure Private Endpoint DNS configuration | Microsoft Docs). For your organization’s clients to resolve that private address, the on-premises DNS service must conditionally forward requests for the public domains to an Azure hosted DNS server, which in turns uses the Azure DNS resolver to provide the correct IP Address.

In the past, this required you to stand up your own VM in Azure (Windows/Linux/NVA), install a DNS Service, and configure forwarding to the internal Azure Servers. This involves a lot of overhead in terms of cost, management, and maintenance while ensuring a suitable SLA for this service.

The Solution

This is where the DNS Private Resolver fits in. This is a first-party service currently in public preview that eliminates the need for the IaaS system to be the DNS forwarder for the private endpoint name resolution. You can now take advantage of all the benefits of private endpoints without the hassle of managing another DNS platform. The figure below summarizes the architecture:

Figure 1: DNS Private Resolver Architecture (https://docs.microsoft.com/en-us/azure/dns/dns-private-resolver-overview)

Tips

• If you’re nervous about implementing, try setting up a client machine to utilize the DNS Private resolver private IP as your DNS server. You’ll need admin rights for this and be sure to note the adapters current configuration before changing. You can now try pinging the resource by name, e.g.: ping mystorageaccount.blob.core.windows.net and confirm that it is responding on the private IP address.

• Also, be sure to clear your DNS cache (ipconfig /flushdns). If you’re testing with a browser, close all active windows.

• If you just deployed the DNS Private Resolver, be sure to wait a few minutes for things to settle in before you declare success (or failure)

The Benefits

Beyond the advantages mentioned above, the DNS Private Resolver fits nicely into your DevOps environment with full support for Azure ARM Templates, Bicep, CLI and PowerShell and costs a fraction of the alternative plus no maintenance and patching. Make the DNS Private Resolver part of your Azure Landing Zone and accelerate your cloud journey.

If you need help with this topic or want to discuss further, please contact us today!