DCAC Logo
Get in Touch

Azure Private DNS Zone Change You Want To Make

I’m thrilled to say that a feature that I’ve been wanting added to the Azure Private DNS for about a year. The feature that I’m talking about, is that for DNS lookups to your private zone that fail, can now fail back to public DNS if there’s no match. This change is made at the Private DNS Zone level, so you’ll need to edit each Private DNS Zone, and simply check this checkbox and save the zone.

This means that if you have a private DNS zone setup, and look for a resource which is in another tenant the resource lookup will succeed. Let’s look at an example.

Let’s assume that we have a Private DNS Zone privatelink.database.windows.net. This zone is mapped to your Azure vNet, so any DNS requests for database.windows.net are serviced by this Private DNS Zone. All your Azure SQL DB servers would be listed in this Private DNS Zone with the Private IP Addresses for their private endpoints listed in this zone. This allows users on that vNet to get access to the private endpoints which are listening for connections for those Azure SQL DB servers.

You get a new vendor who needs you to connect to the public endpoint of their Azure SQL DB database server. Without this new setting being enabled on the virtual network link, looking up that database server’s IP address would fail because that database server wasn’t in your Private DNS Zone. With this setting enabled, you’ll be able to resolve the IP address for your vendor’s database server automatically without putting their server in your Private DNS Zone.

This can be set using the Set-AzPrivateDnsVirtualNetworkLink PowerShell cmdlet with the -ResolutionPolicy parameter set to “NxDomainRedirect”.

This can be done through Powershell as well. I couldn’t get the cmdlets to accept pipelining, but I was able to put together this PowerShell script that will push the change to all the Private DNS Zones in your subscription in a single script.

$Zones = Get-AzPrivateDnsZone
foreach ($zone in $zones) {
	$links = Get-AzPrivateDnsVirtualNetworkLink -ResourceGroup $zone.ResourceGroupName -ZoneName $zone.Name
	foreach ($link in $links) {
		Set-AzPrivateDnsVirtualNetworkLink -name $link.name -ResourceGroup $zone.ResourceGroupName -ZoneName $zone.Name -ResolutionPolicy NxDomainRedirect 
	} 
}

Denny

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trust DCAC with your data

Your data systems may be treading water today, but are they prepared for the next phase of your business growth?

Get in Touch