Azure Private DNS allows DNS resolution across Azure virtual networks and hybrid scenarios. It provides name resolution for private domains within and between Azure virtual networks. The solution demonstrated used Azure Private DNS zones to enable name resolution across multiple virtual networks in a hub-spoke topology, including resolution between an on-premises network and Azure virtual networks. DNS forwarders were used to resolve names from on-premises to the Azure DNS system. While the solution addressed many scenarios, Azure Private DNS has limitations including supporting a single registration network per zone and conditional forwarding.

1. Azure Private DNS
Private DNS in Complex Azure Environments with Azure DNS
Antoine Seignard, Marius Zaharia

2. A BIG thank you to the 2019 Global Sponsors!

3. www.azug.fr
© 2019 AZUG FR. All Rights Reserved.
3
Agenda
• Recall – DNS
• Azure DNS
• Azure Private DNS
• Contexte & Scenario
• Solution & Demo
• "REX"/Feedback
• Conclusion

4. www.azug.fr
© 2019 AZUG FR. All Rights Reserved.
4
Meet the Team
Un enthousiaste du cloud, qui aime aider
les gens à sortir de l'informatique plutôt
traditionnelle en proposant des chemins
pour adopter les bons réflexes du Cloud
Public et accélérer la transformation.
Antoine Seignard
Azure DevOps, Société Générale
Azure MVP & Advisor
Community Manager, AZUG FR
Marius Zaharia
Azure Tech Lead, Société Générale
www.linkedin.com/in/mzaharia/
lecampusazure

5. Azure DNS

6. 6
Recall – DNS
• DNS (Domain Name System) resolves the names
of internet sites with their underlying IP
addresses
• Public DNS / Private DNS
EX: www.example.com => 12.34.56.78 (IPv4)
• DNS Servers :
• (Recursive) Resolver /
• Root Domain /
• Top Level Domain (TLD) /
• Autoritative nameserver A DNS workflow
Credit: cloudflare.com

7. 7
Recall – DNS (2)
• IP vs FQDN
• Registrar
• DNS Zone
• DNS Records
• A
• AAAA
• CNAME
• PTR
• NS
• MX
• SRV
• TXT
• …
>nslookup www.google.com
Serveur : UnKnown
Address: fe80::a63e:51ff:fe7a:6dc6
Non authoritative answer:
Name: www.google.com
Addresses: 2a00:1450:4007:80c::2004
216.58.209.228

8. 8
Azure DNS
• Azure DNS: hosting service for DNS domains that provides name
resolution by using Microsoft Azure infrastructure.
• Manage your DNS records by using the same credentials, APIs, tools, and billing as other Azure services
Benefits
• Managed service
• RBAC
• Activity logging
• Resource locking
• Azure DNS supports all common DNS record types:
A, AAAA, CAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT

9. 9
Azure DNS Delegation
• Delegate the DNS resolution
responsibility to specific name
servers
• In the registrar's DNS
management page, edit the NS
records and replace the NS
records with the Azure DNS
name servers

10. 10
Azure DNS for private domains
• Use our own custom domain names rather than the
Azure-provided names, in private network space
• Service in public preview today
Benefits
• Managed service
• Automatic hostname record management
• Hostname resolution between virtual networks
• Split-horizon DNS support

11. 11
Azure DNS for private domains
Concepts
• Resolution virtual networks: VNETs that are allowed to resolve records within
the zone
• Registration virtual network: a VNET for which Azure DNS maintains hostname
records whenever a VM is created, changes IP, or is deleted
Other capabilities
• Reverse DNS lookup is supported within the virtual-network scope

12. 12
Azure DNS Private Zones scenarios
• Scenario: Name Resolution scoped to a single virtual network

13. 13
Azure DNS Private Zones scenarios
• Scenario: Name Resolution across virtual networks

14. 14
Azure DNS Private Zones scenarios
• Scenario: Split-Horizon

15. Context and Scenario

16. 16
Context and Scenario
Enteprise context:
• Existing (legacy) IT infrastructure (on-premises)
• Additional (new) infrastructure in the Azure cloud
• Hybrid cloud connection, via VPN or ExpressRoute
• Multiple applications in the Cloud
• Multiple VNETs
• Hub & Spoke network topology
• DNS resolution necessary across VNETs
• DNS resolution necessary between on-prem
and cloud
Hub & Spoke VNET topology

17. Solution

18. 18
Solution - Architecture
Hub vnet
Front VM
Client VM
Local IS
App 1 vnet
Forwarder DNS
Hub DNS zone
App DNS zone
Local LAN
ExpressRoute
App 2 DNS zone
Azure
App n DNS zone

19. DEMO

20. 20
Demo scenario
hub-vnet
vm-lin-dns1
vm-lin-web01
vm-web-rdp
local-vnet
app-vnet
vm-lin-dns0
10.0.20.0/24
10.0.10.0/24
10.0.30.0/24
hub.gab2019.local
app.gab2019.local
local.gab2019.local

21. 21
Solution configuration
• Azure resources
• VNETs + peerings
• 3 vnets
• Hub-vnet
• Local-vnet
• App-vnet
• Spoke vnets are connected to the hub
vnet
• Azure DNS Private zones
• Each vnet is hosting a Azure private DNS
zone
• Forwarder DNS servers (IaaS)
• 2 DNS Forwarder in 1 avset
• Test / Demo VMs
• 1 client Windows VM on the local-vnet
• 1 Linux Apache server on the app-vnet
• DNS Forwarder
• Bind server
• Forward all requests to Azure main
DNS service (168.63.129.16)
• Custom DNS Zones
• hub.gab2019.local
• local.gab2019.local
• app.gab2019.local
• www.app.gab2019.local

22. “REX”
Azure DNS

23. 23
Service limitations (as of today)
• Only one registration virtual network is
allowed per private zone
• Up to 10 resolution VNETs allowed per
private zone (preview limit)
• Reverse DNS works only for private IP
space in the registration VNET.
• Reverse DNS for a private IP that isn't
registered in the private zone returns
internal.cloudapp.net as the DNS suffix.
•
• The VNET must be completely empty the first time
you link it
• However, the virtual network can then be non-empty for
future linking as a registration or resolution virtual
network, to other private zones.
• VM record not viewable or retrievable from the
Azure Powershell and Azure CLI APIs.
• They are indeed registered and will resolve successfully.
• Currently, conditional forwarding is not supported
• DNS delegation is not supported (in private DNS)
• Creation only via scripts
• DNSSEC not supported

24. 24
Our feedback
• For a full Azure environment the solution does not need any VM
• Records management via the portal makes management easier
• Create records using the Azure API: allows for more industrialized management
• No zone file to manage
• Today the service is not hyper scalable
• DNS Forwarder VM needed in hybrid scenarios
• Flat zone model only

25. Conclusion

26. 26
Conclusion
PROS
• Very good time-to-market, as a fully managed service
• Azure DNS addresses a large number of simple DNS scenarios
• Specific features like VM autoregistration augment productivity
CONS
• Service not completely mature as today
• Hybrid complex scenarios require more investment

27. www.azug.fr
© 2019 AZUG FR. All Rights Reserved.
27
Merci à nos sponsors
LOCAUX

28. Sponsors internationaux

29. www.azug.fr
© 2019 AZUG FR. All Rights Reserved.
29
Nous suivre
Facebook
facebook.com/groups/azugfr/
Twitter
twitter.com/AZUGFR
Meetup
meetup.com/AZUG-FR/
LinkedIn
https://www.linkedin.com/groups/8315615
Web
www.azug.fr

30. Merci
d’être venus
A bientôt !