Table of Contents
In the previous post, we learned about the Azure Public DNS. Azure Public DNS helps to resolve the domain names to the Public IP addresses. In this post we will discuss different options (like Azure Private DNS) we have when we want to resolve the domain names for the resources & Azure services in the VNET to internal or Private IP addresses.
There are three different ways in which we can achieve this domain name to internal IP resolution:
- Azure-provided DNS
- Azure DNS Private Zones
- Name resolution that uses your own custom DNS server
Which of the above methods to select? It actually depends on how your resources need to communicate.
Azure Provided DNS
It is a free and default DNS service provided by Azure in each VNET hosted at IP address 188.8.131.52. This gets created with creation of VNET and supports auto-registration. With this service DNS zone names and records will be automatically managed by Azure, and you will not be able to control the DNS zone names or the life cycle of DNS records.
Any VM created in the VNet is registered in the internal DNS zone and gets a DNS domain name like VMNAME.internal.cloudapp.net. Name space used by Azure for this service is .internal.cloudapp.net
Azure Private DNS Zones
Azure Private zones provide name resolution for internal resources only and aren’t accessible via the internet. Scope for these zones is global means these can resolve domain names for resources in any region, any subscription, linked VNET or any tenant. These private DNS zones are replicated across multiple Azure regions hence providing the high availability.
Benefits of Azure Private DNS
Azure private DNS zones provide better flexibility when compared to default Azure Provided DNS. Few benefits with Azure Private DNS:
- Configure a custom DNS name for a zone instead of Azure provided names.
- Create records manually when necessary. Auto-registration can still be used to create records based on resource name automatically when a resource gets created. When the resource is stopped and deallocated the records automatically get deleted.
- Permit name resolution across different Regions & Zones.
- Permit name resolution across different VNets. It doesn’t require the VNETs to be peered, only need to link the VNETs to Azure private zone.
- Provide support for a full range of DNS record types i.e., A, AAAA, CNAME, MX, PTR, SOA, SRV, and TXT records.
How to create Azure Private Zone?
The Private Zones can be created from Azure Portal Directly:
Search for Azure Private Zones > Click Create
Next, fill the options at the Creation screen and click Review + Create.
Now, once the Private DNS Zone has been created you have to link VNETs to the Private DNS zone for name resolution.
Link VNETs to Private DNS Zone
Each VNET in Azure has a default Azure Provided DNS service at IP 184.108.40.206. If deemed necessary we can override the use of this default DNS service by configuring an alternate DNS server at VM NIC level.
Two ways to link VNets to a private zone:
- Registration: While each VNet is able to register with a single private DNS zone, as many as a hundred VNets can connect to the same private DNS zone for registration.
- Resolution: It is possible that there are various private DNS domains for different namespaces. You can connect a Virtual Network to each of these zones for name resolution. Each Virtual Network can be linked to up to a thousand private DNS Zones for the purpose of name resolution.
Name Resolution that uses your own custom DNS server (Hybrid DNS)
If you have an external DNS server i.e., an on-prem DNS server you can use custom DNS configuration in Azure to integrate the two.
In order to connect external DNS to Azure Default DNS for a VNET, you need to create a DNS Resolver within a VNET to forward queries received from external DNS to Azure default DNS 220.127.116.11.
- For DNS queries generated in the Azure virtual network to resolve on-premises DNS names, the DNS query is forwarded to the IP address of on-premises DNS servers specified in the rule set.
- For DNS queries generated in the on-premises network to resolve DNS records in Azure Private DNS, you can configure on-premises DNS servers with conditional forwarders pointing to DNS Resolver created in Azure VNET, to forward the request to the Azure Private DNS.
You could make a VM in VNET act as a DNS resolver or to enable this hybrid DNS connectivity you could make use of Azure DNS Private Resolver service as well.