question

DeGreytJurgen-9620 avatar image
0 Votes"
DeGreytJurgen-9620 asked msrini-MSFT answered

The concept of privatelink.database.windows.net

Please help me in my quest for knowledge...
I trying to achive DNS resolving for services in Azure from OnPrem. We have a hub and spoke architecture within Azure. We have a central hub, which has a DNS forwarder installed. This DNS forward forwards all DNS queries to 168.63.129.16. We created a conditional forwarding on our OnPrem dns servers to forward all requests for Database.windows.net to the DNS forwarder in Azure.
All as explained in following article: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns
We have created private links for our SAAS deployments within the Spokes. As we have a multitude of SAAS deployments, we have many different privatelink.Database.windows.net dns zones, while we can only link one privatelink.database.windows.net zone to our Hub vNet where the forwarder lives. So using this procedure we can only resolve records from a single default private DNS zone, while we should be able to resolve all the required ones.

From there the idea came to create a custom Private DNS zone, for each project. The Private DNS name would then be project.company.xyz. OnPrem DNS we would create a single conditional forwarder which forwards all queries for company.xyz to the dns forwarder in Azure. All would be resolved as expected, however this does not work because the custom domain is not represented in the TLS certificate, hence failing to connect to the private IP: https://journeyofthegeek.com/2020/03/06/azure-private-link-and-dns-part-2/ see scenario 6.

I have read many articles the last couple of days around the concepts of Private DNS zones, Private Links and Private Endpoints, however failing to fulling understand the complete picture. It comes to me that it would be logic that privatelink.database.windows.net can only be linked once, because the zone has to be unique, which it isn't. I would also presume that the zone privatelink.database.windows.net can only be resolved from within the vNet to which it belongs, hence why a unique Custom Private DNS zone needs to be created.

azure-dnsazure-private-link
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered

@DeGreytJurgen-9620 ,

The recommendation is to deploy one Private DNS Zone for "database.windows.net" and link all the VNET to the Zone created. By doing that you will maintain all the records in the centralized manner and it will help you to resolve IP across all the VNETs.

Also you cannot use custom domain name with PE as of today. You need to use the Azure provided custom FQDN so that you can resolve the FQDN to the PE IP.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.