Azure DNS Private Resolver

-

 

Azure DNS Private Resolver


                        Azure DNS Private Resolver is a managed serverless DNS forwarding Services in Azure. Applications running in Azure often need to resolve hostnames on-premises, and on-prem workloads frequently need to resolve private Azure names. That’s exactly where Azure Private DNS Resolver steps in. It acts as a DNS gateway between Azure virtual networks and on-premises DNS servers — without deploying custom DNS servers or VMs. 

Hybrid environment where users in on-premises locations need to resolve and to connect to the SQL database running in Azure SQL with private endpoint enabled. The Azure private resolver enables you to query the name of Azure SQL private endpoint in private DNS from your on-premises network. The resolver also enables your Azure infrastructure (using Azure DNS) to perform name resolution for services running on-premises.

Azure DNS Resolver Supports below Areas

            Hybrid DNS resolution (Azure ↔ On-prem)
            Private DNS Zones
            Conditional forwarding rules
            Cross-VNet resolution
            Fully managed (no patching, no scaling, no HA setup)

Architecture for Azure DNS Private Resolver

 







    


Key Components in Azure DNS Private Resolver 

Azure DNS Private Resolver requires an Azure Virtual Network and It has two core endpoints:

            1. Inbound Endpoint
            2. Outbound Endpoint

Inbound Endpoint - 
                
            An inbound endpoint enables name resolution from on-premises or other private locations via an IP address that is part of your private virtual network address space. To resolve your Azure private DNS zone from on-premises enter the IP address of the inbound endpoint into your on-premises DNS conditional forwarder

When you create an Azure DNS Private Resolver inside a virtual network, one or more inbound endpoints are established that can be used as the destination for DNS queries

The inbound endpoint requires a subnet in the VNet where it’s provisioned. The subnet can only be delegated to Microsoft.Network/dnsResolvers and can't be used for other services. DNS queries received by the inbound endpoint ingress to Azure.





Outbound Endpoint

                An outbound endpoint enables conditional forwarding name resolution from Azure to on-premises, other cloud providers, or external DNS servers. Outbound endpoint processes DNS queries based on a DNS forwarding ruleset that you configure. DNS queries that are initiated in networks linked to a ruleset can be sent to other DNS servers.

This endpoint requires a dedicated subnet in the VNet where it’s provisioned, with no other service running in the subnet, and can only be delegated to Microsoft.Network/dnsResolvers. DNS queries sent to the outbound endpoint will egress from Azure.



  
DNS Forwarding Ruleset

               A DNS forwarding ruleset is a group of DNS forwarding rules (up to 1000) that can be applied                 to one or more outbound endpoints or linked to one or more VNets.

Rules under Ruleset

               A DNS forwarding rule includes one or more target DNS servers that are used for conditional                 forwarding, and is represents A domain name, Target IP address and Target Port and Protocol                 (UDP or TCP)





How Azure Private DNS Resolution Works

    Inbound flow (On-prem → Azure)
    On-prem DNS → VPN/ExpressRoute → Inbound Endpoint → Azure Private DNS Zone

    Outbound flow (Azure → On-prem)
    Azure VM → Azure DNS (168.63.129.16) → Outbound Endpoint → On-prem DNS


Azure Private DNS Resolution Limitations

                    Resource

Limit

    DNS private resolvers per subscription

15

    Inbound endpoints per DNS private resolver

5

    Outbound endpoints per DNS private resolver

5

    Forwarding rules per DNS forwarding ruleset

1000

    Virtual network links per DNS forwarding ruleset

500

    Outbound endpoints per DNS forwarding ruleset

2

    DNS forwarding rulesets per outbound endpoint

2

    Target DNS servers per forwarding rule

6

    QPS per endpoint

10,000



Network Requirements (for Domain Join or AD Communication)

If you want Azure VM to join on-prem AD domain (CSC.COM), and access on-prem AD-authenticated resources. Then ensure these ports are open from Azure → On-prem AD/DCs (both ways):

  

 

Virtual Network Limitations

    • VNets with encryption enabled don't support Azure DNS Private Resolver.
    • A DNS resolver can only reference a virtual network in the same region as the DNS resolver.
    • A virtual network can't be shared between multiple DNS resolvers. A single virtual network can only be referenced by a single DNS resolver

Subnet Limitations

    • A subnet must be a minimum of /28 address space or a maximum of /24 address space. 
    • A subnet can't be shared between multiple DNS resolver endpoints. A single subnet can only be used by a single DNS resolver endpoint.
    • All IP configurations for a DNS resolver inbound endpoint must reference the same subnet as where the endpoint is provisioned.
    • The subnet used for a DNS resolver inbound endpoint must be within the virtual network referenced by the parent DNS resolver.
    • The subnet can only be delegated to Microsoft.Network/dnsResolvers and can't be used for other services


Azure DNS Private Resolver Benefits

Azure DNS Private Resolver provides the following benefits:

    • Fully managed: Built-in high availability, zone redundancy.
    • Cost reduction: Reduce operating costs and run at a fraction of the price of traditional IaaS solutions.
    • Private access to your Private DNS zones: Conditionally forward to and from on-premises.
    • Scalability: High performance per endpoint.
    • DevOps Friendly: Build your pipelines with Terraform, ARM, or Bicep.


Comments

Post a Comment

Popular posts from this blog

Convert Azure VM Security Type - Trusted Launch to Standard to Enable ASR on existing workloads.

-
Image
                                        This document outlines the process for changing the Azure VM Security Type from Trusted Launch to Standard to enable Azure Site Recovery (ASR) on existing workloads. Trusted Launch is a way to enable foundational compute security on Azure Generation 2 VMs. It protects your virtual machines against advanced and persistent attack techniques like boot kits and rootkits by combining infrastructure technologies such as Secure Boot, vTPM, and Boot Integrity Monitoring. Currently, Azure Site Recovery does not support Trusted Launch VMs, despite the Azure Portal defaulting to Trusted Launch when deploying virtual machines. This limitation has caused issues for customers who build environments with the default Trusted Launch setting, only to discover that ASR cannot be enabled. As a result, the entire environment often needs to be rebuilt...
Read more

Azure Application Insights - Java Performance Monitoring

-
Image
Configure and monitor JMX metrics for your Java application using Azure Application Insights.                    JMX (Java Management Extensions) metrics are a set of performance and resource utilization data points that can be collected from a Java application. JMX provides a standardized way to manage and monitor applications, system objects, devices, and service-oriented networks. JMX metrics typically include: Memory Usage : Information about heap and non-heap memory usage. Garbage Collection : Data on the frequency and duration of garbage collection. Thread Usage : Details on the number of active, idle, and blocked threads. Class Loading : Metrics on the number of loaded, unloaded, and total classes in the JVM. CPU Usage : Information on the CPU usage by the JVM process. Custom Metrics : Application-specific metrics that can be defined by the developer, such as request counts, error rates, and transaction times. ...
Read more