Introduction
In the last article, we discussed about some basic information and concept for the DNS management on Azure. Start from this article, we will drill into difference case and scenario, see what are the approach to manage the DNS on Azure.
Assumption
Lets assume we have an Azure environment contain below component:
- Hybrid networking (IPSec VPN or ExpressRoute) between Azure and on-premises have been formed
- There are DNS servers (or Active Directory environment) in on-premises environment
- Private DNS record in on-premises needed to be handled
- Private DNS zone is in used
On-premises DNS Server
As the connectivity between Azure and on-premises have been built up, using the on-premises DNS server to handle the DNS query from Azure workload is the most straightforward way to provide the DNS functionally to Azure environment.
Once the DNS server IP setup in the virtual network or network interface, the DNS query can be send to the on-premises DNS server through ExpressRoute or VPN tunnel. The traffic flow will be describe as below:
- Source: Azure VM IP Address
Destination: On-premises DNS server IP Address
Route to: ExpressRoute/ VPN Gateway
Advantage
This is the simplest approach to handle the DNS request on Azure environment when we have on-premises DNS server. There are no complex setup, we will only need to finish the hybrid network connectivity, ensure the route and traffic were allowed, then the only thing we need to configure is the DNS setting on virtual network or network interface.
This design allowed the resolution for on-premises DNS record, once the conditional forwarder setup correctly, the public DNS record will be available.
The setup process is fast, design is simple, and the cost involved will be the lowest level as there are no additional resource we need to provision on Azure, no additional cost will be appear.
Disadvantage
However, in well-architecture point of view, this approach may not be the best practice to handle the DNS solution on Azure.
First point is that, the design above forced the DNS queries to be all directed to on-premises DNS server, hence the workload of the DNS server and the tunnel between Azure and datacenter will be increased. Although the traffic and usage might not significantly increase initially, depends on the business expand, there must be more and more request on the DNS query, it will increase the workload of on-premises DNS server and the ExpressRoute tunnel.
From the high availability perspective, as the services on Azure rely on the ER or VPN tunnel for the DNS query, in case there are any incident in the hybrid network communication, it might case the services down on Azure.
In addition, this approach have no well consideration on the handling of the private DNS zone on Azure. If we are requesting the on-premises DNS to resolve the DNS record in Azure private DNS zone, initially, we can only input the DNS record manually to the DNS server. This approach require operation effort while the usage of the private endpoint is increasing.
Summary
To conclude, the approach to use on-premises DNS server to handle DNS query from workload on Azure is a straightforward and simple approach require minimized setup. It will be suitable for some business that is new build on cloud, testing environment, no requirement on resolving record in Azure private DNS zone.
However, in long term development, for the goal of cloud adoption, this might not be the optimized DNS management approach for Cloud environment.
In the next article, we will discuss another approach, which is using the cloud native solution – Azure private DNS resolver.
Simon Lee
Cloud & Data Engineer, SOS Group Limited