0

Azure private dns resolver is a saas that provides dns. Once the resource is created, vnet links can be added to vnet of the resource to make it available to the linked vnets.

My question is: In a hub spoke, where the dns of all spoke vnets are configured to a routing appliance in the hub, and the vnet which holds the routing appliance has a vnet link to a dns forwarding ruleset, do I need to create a vnet link to a dns forwarding ruleset for all spoke vnets of is the one hub vnet link enough (because all dns traffic is routed through here)?

e.g.: spoke1-hub1

Spoke1 has dns configured on its vnet as the ip address of the firewall in hub1. Hub1 firewall has azure provided dns configured and a vnet link to private dns resolver.

MyName
  • 180
  • 1
  • 2
  • 19

1 Answers1

0

AFAIK, Private DNS Resolver in a Hub and Spoke model makes sense to use when you resolve onPrem-2-Cloud (and vice versa) DNS Zones. As written in documentation, it is recomended design approach to use Inbound/Outbound Subnets, Forwarding Rule sets and Ruleset Links. => In case of this scenario Private DNS Zone and Azure Provided DNS will be resolved by the inbound endpoint. IMHO the Subnets should be placed behind the firewall if Azure Egress and Ingress should be inspected.

If you use Azure Firewall as DNS Proxy (with DNS Proxy enabled), Azure Firewall should be able to resolve Azure Provided DNS (Default DNS Server) and Private DNS Zones (e.g. private links in your VNETs and the Private DNS Zone linked to Hub - where the firewall resides). You must configure Azure Firewal as DNS Proxy in your services (or as in your case routing in UDR). Link

In both cases VNet peering is required. My suggestion is, use Private DNS Zones for your private links, as i understood from your scenario, you use cloud only hub-and-spoke model, with no on-Prem connectivity?

Mario Dietner
  • 566
  • 2
  • 9
  • I need to resolve both on-prem dns entries and azure private addresses. I'm mostly wondering if I can just have the one vnet link (from the firewall vnet) to the private resolver ruleset and forward all the dns traffic through here. This way, I don't have to manage all the different vnet links for all the linked vnets. – MyName May 02 '23 at 11:54
  • 1
    What do you mean by the VNet Link to the private resolver? => do you mean Ruleset link in the Hub Vnet, where the Firewall is deployed? IMHO "per se" it should not work, because there is no documentation to be found about if Azure Firewall will try to resolve with Private Rosolver by usind azure provided dns. Maybe you can try following: Set Azure firewall with a Custom DNS Resolution and put both the IP Address of the inbound endpoint and the Azure DNS Virtual Server IP Address (168.63.129.16). But i haven't try this approach myself. – Mario Dietner May 02 '23 at 12:23
  • Thats exactly what I meant Mario, do I need to link all my spoke vnets to a dns forwarding ruleset or is the one vnet link to the hub vnet enough since all dns traffic is routed through there. – MyName May 02 '23 at 12:35