0

There's a number of moving parts here so I'll try and bullet-point the setup (PS: all of the domain names and IP addresses below are fictitious).

Azure Classic

  • I have an Azure AD Domain Service for "mydomain.com".
  • In the properties page for that domain service, the IP addresses are 1.2.3.4 and 1.2.3.5
  • This is inside a Classic VNET (ClassicVNET) - Address space 1.2.3.0/24

Azure RM

  • In AzureRM, I have a VNET (VNET1)
  • On that VNET, the DNS Servers are set to my Azure Domain Service from above (1.2.3.4 and 1.2.3.5). I'm not using the "Default - Azure Provided" DNS option.
  • This ARM VNET (VNET1) is peered with the the classic VNET above (ClassicVNET).

Virtual Machines (SQL)

  • I have 3 VM's running SQL Server. All three VM's are in the VNET1 network so their DNS servers are 1.2.3.4 and 1.2.3.5.
  • All 3 VM's are joined to the AD domain (mydomain.com).
  • I used the Windows Administration "DNS tool" to create some "A" records for mydomain.com (x.y.mydomain.com and a.b.mydomain.com).
  • If I do an nslookup on any of the VM machines for these "A" records, they resolve properly.
  • Since the DNS query to my "mydomain.com" domain works in the VM, I'm assuming my network connections between the two VNETs (the ARM one and the classic one) are correct.

Azure App Service

  • I also have an app service (AppService1).
  • In the Networking property for this app service, I've set up a VNET connection to my ARM VNET (VNET1).
  • If I click on the "click here to configure" for VNET integration, I can see the DNS servers are picked up from the VNET (1.2.3.4 and 1.2.3.5)
  • I have a connection string for the app service referencing "x.y.mydomain.com" but I get timeouts trying to use it.
  • If I go to the Kudu console, jump to a powershell prompt and enter nameresolver x.y.mydomain.com I get a DNS timeout.

I can't figure out why the app service (with it's VNET integration) can't access the DNS servers but the VM's can (and the VM's and app service are both accessing the same VNET). And, yes, if I use the IP address the "A" record points to, everything works fine (so I know the app service has proper connectivity to the ARM VNET and the SQL Servers on that network).

Any ideas?

PatrickSteele
  • 150
  • 5

1 Answers1

1

I can't figure out why the app service (with it's VNET integration) can't access the DNS servers but the VM's can(and the VM's and app service are both accessing the same VNET).

Because the app service and VM not in the same Vnet.

When you try to set up a VNET connection to my ARM VNE (VNET1), the app service and Vnet connect via VPN:

If your target virtual network already exists, it must have point-to-site VPN enabled with a Dynamic routing gateway before it can be connected to an app. If your gateway is configured with Static routing, you cannot enable point-to-site Virtual Private Network (VPN).

So, your classic AAD DS connect your Vnet1 via site-to-site VPN, and your Vnet1 and your app service connect via point-to-site VPN, but app service can't connect to AAD DS.

               S2S VPN               p2s vpn
   AAD DS <-------------> Vnet1 <----------> App service
     |                                           |
     -------------------Can't connect-------------

As a workaround, maybe you can use AAD DS(ARM), in this way, you can use ARM vnet to create AAD DS, then your app can use point-to-site VPN connect to this Vnet.

Hope this helps.

Jason Ye
  • 2,399
  • 1
  • 8
  • 10
  • So the App Service can get to the resources in VNET1, but it can't reach the AAD DS through VNET1? I'm more of a developer than a network guy so I may not be understanding some networking concepts. To me, it seems like if App Service can talk to VNET1 and VNET1 has a connection to AAD DS, then the App Service should be able to talk to AAD DS through the VNET1 connection -- but it sounds like that is not the case? – PatrickSteele Feb 01 '18 at 13:43
  • @PatrickSteele app can’t talk to AAD DS. Can’t cross vpn. – Jason Ye Feb 01 '18 at 13:46
  • Thanks for the confirmation. So, based on what you're saying, there is *no way* for the app service to be able to access those two DNS servers (and still be able to access the VM's in VNET1)? – PatrickSteele Feb 01 '18 at 14:07
  • @PatrickSteele can you try to use resource module AAD DS? In that way, AAD DS and vms in the same vnet, app use vpn to connect that vnet – Jason Ye Feb 01 '18 at 14:10
  • Possibly. We already have a decent amount of infrastructure set up (6 VM's across two regions, SQL High Availability Groups with VNET peerings, etc...) so I'd have to see how much work that would take to rebuild the AAD DS in RM and remove the one in the Classic side. I assume there's no way to "move" the existing DS to ARM? :) – PatrickSteele Feb 01 '18 at 14:39
  • @PatrickSteele Azure does not support move AAD DS to ARM – Jason Ye Feb 01 '18 at 14:40
  • Your other option is to use an App Service Environment (ASE). It's significantly more expensive, but does actually join the vNet and should be able to communicate across the VPN – Sam Cogan Feb 01 '18 at 20:21