I’m totally confused with Azure, Private Endpoints, and private DNS zones experience.
When operating in a hub-and-spoke architecture, all the private DNS zones are pre-populated in the hub subscription.
I have:
- Owner privileges over the resource group where the private DNS zone reside
- I have owner permissions over the spoke subscription, where I want to create a storage account
Now, here’s my confusion. I don’t know if it’s me, or again another example of MSFT brilliancy, but when I create a Storage Account (in the bespoke spoke subscription) I select:
I want the Storage Account to be Private Endpoint enabled, and HERE’S THE PROBLEM. Naturally, I would want to use the privatelink.blob.core.windows.net private DNS zone that is already created in the hub subscription, but there’s NO WAY to select it! If I would proceed with the option selected, it would create a NEW private DNS zone for the Storage Account blob sub resource type, in the resource group of the actual VNet …
With this, the central DNS resolution will of course not work.
However, when I navigate to an existing Storage Account, I CAN THEN point to the subscription, rsg that is containing all my private DNS zones !
Select existing private DNS zones
Why is this a big deal? I’d like to enforce Azure Policies that would deny PaaS resources with public access enabled. Since the creation of such resources would fail, application team owners would have to create private endpoints for the service to be accessible. At the same time, I don’t want them to follow the above steps, where they would create private DNS zones within their subscription and start raising tickets that they can’t connect to it afterwards. So I would put another policy in place, that would deny creation of private DNS zones prefixed with private link (and just exclude the resource group in the hub subscription, since there it is even anticipated that private DNS zones are created).
So with this in place, they would have to first create the storage account with a) public access disabled, b) Integrate with private DNZ zone set to No, and afterwards, once the resource is created, add the private endpoints that would integrate with the hub’s private DNS zones. And yes, that works, but WHY can’t the creation wizard let me do this at creation time ??
Anyone to share their experience with this, or perhaps correct my if I’m misunderstanding something ?
