Introduction
On Azure, the virtual network provides us with a lot of pre-configured setup and hence we can use the network easier. One of them is Azure DNS, which provides us the Azure managed DNS services. However, in different scenarios, we can use different configurations to fit in our environment.
In this topic, we are going to discuss the DNS management on Azure with different cases.
Before we start the design discussion, this article will first present some basic concepts.
Azure DNS
Domain Name System, DNS, is used for translating a service name or host name to an IP address. By default, Azure provided an Azure hosted DNS service to all virtual networks. While the service within the virtual network is sending query to the Azure DNS, it will resolve the host name with an IP address. Hence, even though there are no self-managed DNS server/ service, the resource on Azure can still resolve the public DNS record. The DNS server on Azure we can see is 168.63.129.16 by default. Apart form the public DNS record and IP address, it can integrate with Azure private DNS zone, which will be mentioned in the later section.
However, considering adopting the cloud environment, there must be internal DNS records required to resolve and access the services privately, hence, the DNS solution design will be an important consideration on our cloud environment.
Azure Private Endpoint and Virtual Network integration
For most of the services on Azure, they provide public access initially. For example, storage accounts, Azure virtual desktop, Azure database for MySQL, etc. Hence we can always see the URL of the services be like, <storage account name>.blob.core.windows.net. This FQDN can be resolved from public DNS as Azure is pushing the DNS record when we created the service, we can hence access the service from public depends on the network restriction setting on the service.
However, in many cases, we are requiring access in more secure way. Hence, Azure provides Private Endpoint, Private Link Service and virtual network integration, therefore we can enable the private IP for the service and block the public access from internet. In this way, we have more control on the networking perspective.
The difference between private endpoint and virtual network integration is that, private endpoint is only providing an inbound connection for the service. For example, the storage account we mentioned, while we enabled the private endpoint, a private IP address will be allocated for the service. However, we cannot control the outbound through private endpoint.
For some other services, for example, function app, Azure database for MySQL server, provide another solution for the intranet control, which is virtual network integration. As those services contain instance and compute resource, initially, they are sitting at the Azure managed network so we have not much control on the network perspective. Virtual network integration provides us more ability to control the network for the instances at the backend, such as routing, DNS servers, etc.
Azure Private DNS Zone
As mentioned in the last section, the private endpoint, private link service and virtual network integration enabled the private IP address for the service on Azure. Here, how Azure manage the DNS record is that, the public URL are still advertise to public DNS, which is something like <storage account name>.blob.core.windows.net, this will return us an A record with a Azure managed public IP address. When we enabled the private link service or private endpoint, Azure will usually publish a CNAME record, be like <storage account name>.privartelink.blob.core.windows.net. This CNAME record can only resolved as an public IP address from internet but the usage of this private link record is actually providing the URL for us to control the inbound access from internal network.
While we are creating the private endpoint, Azure will usually provide an option for us to integrate with Azure private DNS zone, which is used to maintain a DNS zone work as the on-premises lookup zone in DNS server. When the private DNS zone integrates with the virtual network and the server in the network sends queries to the Azure DNS server, it can look up the DNS record from the private DNS zone while the domain is matched.
With the Azure private DNS zone, we can handle the private link, private endpoint DNS record with the Azure DNS server with optimized integration.
In the next article, we will start to discuss about the design of DNS on Azure.
Simon Lee
Cloud & Data Engineer, SOS Group Limited
