1

I'm migrating asp.net services that used to exist on a physical server on-premise to Azure. However they need to reach some web-services (SOAP) that will not be migrated to azure yet. These have a public IP but I need to set the hostname in order for IIS to properly redirect the requests to the correct service as there are several on the same server. Is there any way to create some sort of DNS-server in azure that is only available for the services created in azure that can resolve to the public IP-address outside of azure? (We have used the hosts file on the servers to achieve this previously)

I tried using the private DNS Zones, but as I've understood it they can only point to other azure services within the same vnet (correct me if I'm wrong). I've also tried creating a dnsmasq docker container. However, as this is running in a Linux container, it seems that I cannot put it in the same vnet as the asp.net app services. Thus I am unable to retrieve a private IP-address that these services can use to reach the DNS server.

Chairbench
  • 33
  • 1
  • 1
  • 7

2 Answers2

2

In my understanding it is now possible to use Azure DNS Private Zones if you want. You would need to use regional vnet integration to point your app's traffic to a vnet that is connected to the Private Zone. You need the following settings as well, which mean that all outbound traffic from the Web App is routed through the integrated vnet first, and that the Azure default DNS server is used for DNS.

WEBSITE_DNS_SERVER with value 168.63.129.16 WEBSITE_VNET_ROUTE_ALL with value 1

https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet#azure-dns-private-zones

If you don't want to use Azure DNS Private Zones, I think you can achieve similar results by directing the Web App to use a specific DNS server. This can be done using WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER app settings (the values are the IP addresses of the servers you want to use). This is the most authoritative public statement I can find about using these settings.

  1. Go to the web app->settings->Application Settings-> App Settings section
  2. Add the following: (WEBSITE_NODE_DEFAULT) should already be there. a. WEBSITE_DNS_SERVER with value having the IP address of the primary DNS server. b. WEBSITE_ALT_DNS_SERVER (optional), with value having the IP address of a second DNS server.
  3. Then save the settings & restart webapp in portal.
  4. Double check the web app can actually connect to the DNS server: a. In kudu console, run: Nameresolver.exe [hostname-to-lookup] [dns-server-to-use] First argument should be the hostname you are trying to look up, second argument is one of the DNS servers from step 1) If this times out, there is an issue with how your DNS servers are configured (firewalls, etc.)

https://github.com/MicrosoftDocs/azure-docs/issues/13927#issuecomment-416382230

If using these settings with a DNS server that is only accessible via private IP, you would need to use regional vnet integration again to connect to a vnet. If the DNS server is on-prem, you have to connect through the integrated vnet over VPN or ExpressRoute.

Dillon Brown
  • 305
  • 3
  • 9
0

It's possible but not using the private DNS Zone.

According to Name resolution for resources in Azure virtual networks. For the scenario Name resolution from App Service Web Apps in one virtual network to VMs in a different virtual network, you need to use your own DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). See Name resolution using your own DNS server.

enter image description here

In this case, you only allow this azure web service could resolve the public IP address outside of Azure. You could enable virtual network integration for your web app, this restricts your web app access in a private network. Then you could deploy a DNS server in the same Vnet as the web app integrated VNet. You could create an A type record in your DNS zone to point to your service Public IP, then add the DNS server's IP address into the DNS server of the Integrated web app Vnet in the portal. If so, the web app could resolve this public IP via a custom DNS server.

Hope this could help you.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Thanks for the answer! I think you misunderstood me. I'm not looking to reach a VM in a different virtual network, but another server outside of azure. However, according to the second row in the table you posted, it seems like DNS Private Zones are able to reach "role instances in different cloud services" which is what I am looking to do. I have not been able to make this work though. Perhaps it's some config that I have gotten wrong... – Chairbench Jul 19 '19 at 12:41
  • Does your asp.net services host on Azure VM server or Azure app service? Maybe I misunderstood that it's on app service. If you are hosting asp.net services on Azure VM and you want this service could resolve the public IP outside of Azure. This is quite simple since you can do almost everything on Azure VM as your on-premise physical machine such as just edit hosts file on Azure VM? – Nancy Jul 22 '19 at 07:16
  • No it's not on a VM, it's a web app so I am unable to edit the host file. – Chairbench Jul 22 '19 at 07:34
  • So, you could refer to my reply. It is for azure app service name resolution to the public IP outside of azure. Or simply, you can add a new variable “WEBSITE_DNS_SERVER” and set the value with IP 8.8.8.8 public google dns in your web app service to help resolve the public IP. Refer to http://www.road4cloud.com/how-to-change-dns-server-setting-for-azure-web-app-app-service-environment/ and https://blogs.msdn.microsoft.com/waws/2017/07/24/networking-related-commands-for-azure-app-services/ – Nancy Jul 22 '19 at 07:49