ABCS25: DNS in hybrid cloud environments - can it be that hard? by Marcel Zehner

Transcript

1. DNS in hybrid cloud environments: Can it be that difficult?

   Marcel Zehner | districtUP Microsoft Regional Director & Azure MVP [email protected]

2. “Yes!”

3. DNS in hybrid cloud environments: Can it be that difficult?

   Marcel Zehner | districtUP Microsoft Regional Director & Azure MVP [email protected]

4. About Marcel ▪Cloud Architect & Trainer ▪Microsoft MVP & RD

   ▪Public Speaker ▪Poker Player ▪Piano Virtuoso About districtUP ▪Microsoft Entra ID Services ▪Microsoft Azure Services ▪Live from July 2025

5. Where DNS comes into play ▪A service needs to translate

   FQDNs into IP addresses ▪When accessing Internet resources ▪Websites, public APIs etc. ▪When accessing private resources ▪On-premises (servers, printers etc.) ▪Azure (virtual machines, private endpoints etc. ▪Hybrid environments

6. Azure Virtual Networks | General ▪Core of connectivity in Azure

   ▪Name and IP address range ▪Divided into subnets ▪Used to enable network connectivity for services ▪E.g. Virtual machines (using a NIC) ▪IP addresses assigned dynamically ▪Infinite lease duration ▪DNS IP addresses assigned dynamically

7. Azure Virtual Networks | DNS Assignment ▪Two DNS IP addresses

   assignment options ▪Azure DNS running on 168.63.129.16 ▪Custom DNS servers ▪NICs in virtual network inherit this setting ▪Override possible ▪Only use when really needed ▪Assign manually inside the OS ▪Normally not recommended

8. Azure Virtual Networks | Public Name Resolution ▪Azure-provided DNS is

   non-authoritative ▪Forwards any request to other Internet DNS servers ▪No custom forwarding by default ▪Sends back the result to the original requester ▪E.g. a virtual machine

9. Demo 1.1

10. Azure Private DNS Zones | General ▪Used for private, internal

    name resolution ▪Modern PaaS alternative to classic DNS management solutions ▪Can be managed as code ▪Hosted on Azure internal DNS servers ▪Not exposed to public Internet – server IPs unknown ▪Zones must be linked to a virtual network ▪Names can be resolved from within this (and only this) virtual network by default

11. Azure Private DNS Zones | Linking ▪Virtual network linking makes

    the private DNS zone accessible within the linked virtual network ▪For name resolution ▪Optional: auto-registration ▪Registers virtual machine names automatically in the zone ▪ For other services: Records need to be created manually ▪Important: Only one private DNS zone per subnet can be enabled for auto-registration!

12. Azure Private DNS Zones | Multiple Virtual Networks ▪Zones can

    be linked to multiple virtual networks ▪Not strictly recommended ▪Auto-registration can be enabled for the same zone from multiple virtual networks

13. Demo 2.1

14. Private Endpoints | General ▪Most PaaS services come with public

    endpoints ▪Reachable from the Internet ▪Side note: This is not a bad thing in general if you know how to deal with it ▪Private endpoints assign private IP addresses to PaaS services ▪Additional complexity ▪Optional: Disable public endpoints afterwards if only private is needed

15. Private Endpoints | Private Endpoint Name Resolution ▪Needs additional private

    name resolution ▪Name resolution process changes after configuration ▪Special private DNS zones are needed ▪Each services uses its own specific namespace ▪Examples: ▪Blob storage > “privatelink.blob.core.windows.net” ▪SQL > “privatelink.database.windows.net”

16. Service Storage Account Data Storage Blob Name dstodemo2 Service Endpoint

    dstodemo2.blob.core.windows.net Internet ▪ Endpoint URI is a CNAME (alias) that points to the “real” host ▪ The “real” host is an A record that points to a public IP address ▪ All managed by Microsoft

17. Virtual Network Private Endpoints Subnet NIC Service Storage Account Data

    Storage Blob Name dstodemo2 Service Endpoint dstodemo2.blob.core.windows.net ▪ Endpoint URI is still a CNAME , but now points to mystorage.privatelink… ▪ mystorage.privatelink… is an A record that points to a private IP address ▪ Managed by you Private Endpoint

18. Private Endpoints | Challenge ▪Private DNS zone is only accessible

    from within the Azure virtual network ▪Name resolution from Internet still translates to public IP address ▪Same is true if you have multiple Azure virtual networks

19. Demo 2.2

20. Hybrid & Scale | Challenges ▪What if you want to

    … ▪Access private DNS zones from other Azure virtual networks or on-prem? ▪Private DNS zones are only available in the virtual network they are linked to ▪Access private endpoints from other Azure virtual networks or on-prem? ▪Privatelink DNS zones are only available in the virtual network they are linked to ▪Resolve names from Azure when DNS zones are managed on an on-premises DNS server? ▪Azure DNS forwards all traffic to the Internet

21. Hybrid & Scale | Solution 1 ▪Installing a forwarder DNS

    server in that virtual network ▪A VM that is under our control and has a private IP address ▪Used as a forwarder from on-premises, and then forward requests to Azure DNS ▪Same is true from other Azure virtual networks

22. Servers Virtual Network DNS VM Azure DNS 168.63.129.16 Private DNS

    districtup-internal.ch DNS VM WP Internet Private DNS privatelink.blob.core… Conditional Forwarder DNS Zone onprem-local.ch

23. Hybrid & Scale | Solution 2 ▪Use the Azure DNS

    Private Resolver PaaS service ▪Has various endpoints in the Azure virtual network ▪Inbound endpoints > To send requests to it ▪E.g. from on-premises ▪Outbound endpoints > To forward requests to other DNS servers ▪Rule set to control conditional forwarding

24. Virtual Network Azure DNS 168.63.129.16 Private DNS districtup-internal.ch DNS VM

    WP Internet Private DNS privatelink.blob.core… DNS Private Resolver Outbound Inbound Rule Set: Conditional Forwarding Conditional Forwarding DNS Zone onprem-local.ch

25. Demo 3.1

26. Simple Reference Architecture | Single Region DNS Network App Network

    1 App Network n DNS Private Resolver Rule Set Outbound Inbound Private DNS Zones Private DNS Zones Privatelink DNS Zones Privatelink DNS Zones Hub Network On-Premises DNS Conditional Forwarder VM VM Governed Subscription

27. Takeaways & Caveats

28. DNS is King ▪DNS is a key element that requires

    proper planning ▪Do this right from the very beginning or it will cause a lot of pain later

29. Governance ▪You must govern your Azure environment ▪Avoid having multiple

    DNS zones with the same name, or you might run into massive issues ▪There are exceptions to this, e.g. when it comes to multi-region setups ▪Use Azure Policy to govern subscriptions ▪Block DNS zone creation (all or such that start with “privatelink.”) ▪Enable automatic private endpoint DNS registration in centralized DNS zone

30. Connectivity Failure ▪If on-prem to Azure connectivity fails, name resolution

    is impacted ▪Private DNS zones ▪Private endpoints ▪Public endpoints that are conditionally forwarded to Azure DNS resolver or Azure DNS VM ▪No automatic fallback to Internet, manual configuration needed

31. Architecture ▪Use DNS Private Resolver instead of DNS Forwarder VMs

    ▪Place in a spoke virtual network, not the hub ▪Hub network should be minimal ▪No compute, only services that cannot be places in a spoke network ▪Multi-region is possible, but comes with some additional challenges ▪If you use Azure firewall (or any NVA), DNS requests could be proxied through that service

32. “Now do it right!”

33. None

34. DNS in hybrid cloud environments: Can it be that difficult?

    Marcel Zehner | districtUP Microsoft Regional Director & Azure MVP [email protected]