In this blog, I’m going to share my experience with Azure Private DNS name resolution learning with Azure PaaS (Platform-as-a-service) resources. This learning involves various Azure resources like Storage accounts (PaaS resource), Private Endpoints, Private Links, Azure Private DNS Zone, Azure Private DNS Resolver, Microsoft Entra Domain Services. Before diving into the Azure Private DNS Zone name resolution concept, let’s understand each Azure resource involved:
Azure Storage Accounts: An Azure storage account contains all the Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS. Data in the storage account is durable and highly available, secure, and massively scalable.
Private Endpoints: A private endpoint is a network interface that uses a private IP address from the virtual network. This network interface connects privately and securely to a service powered by Azure Private Link. By enabling a private endpoint, you’re bringing the service into your virtual network.
Azure Private DNS Zone: Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need for a custom DNS solution. By using private DNS zones, we can use our own custom domain names rather than the Azure-provided names available today.
Azure Private DNS Resolver: Azure DNS Private Resolver enables querying Azure DNS private zones from an on-premises environment, and vice versa, without deploying VM-based DNS servers. You don’t need to provision IaaS-based solutions on your virtual networks to resolve names registered on Azure private DNS zones. You can configure conditional forwarding of domains back to on-premises, multicloud, and public DNS servers.
Microsoft Entra Domain Services (DS): Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, Lightweight Directory Access Protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
Scenario: When you DNS server resides in on-premises or third-party datacenter, Azure Private DNS Resolver or VM based DNS server is required to handle the Private DNS resolution. It works as shown in below diagram:
In our Scenario: The client has decided to adopt a cloud-first approach to set up their IT infrastructure. Therefore, we have used Microsoft Entra DS which is configured with Domain Services integrated DNS, as our Azure Private DNS Resolver or VM based DNS server.
Conclusion: This scenario exemplifies a common use case where a client embraces a cloud-first approach, necessitating seamless integration between on-premises DNS servers and Azure services. Leveraging Microsoft Entra DS with integrated DNS as an Azure Private DNS Resolver or VM-based DNS server streamlines the setup, ensuring minimal complexity while enabling robust DNS resolution capabilities.
Note: This approach saves the cost of an Azure Private DNS Resolver or VM based DNS server.