question

KrishanSharma-3845 avatar image
0 Votes"
KrishanSharma-3845 asked RaviVarmanMSFT-5919 commented

Resolving spoke database private IP from On-premise using hub and multiple spoke (different subscription) architecture

we are using a hub-spoke architecture with the connectivity to on-premises using ExpresRoute. we have a custom DNS server in Hub and both the spoke have a database with private endpoint enable. we want to resolve the private IP of the database from the on-premise.
The issue is Hub VNeT can only be attached to one privatelink.database.windows.net.
how can we attach it to the two same names private DNS zone?

Please suggest.

azure-private-link
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RaviVarmanMSFT-5919 avatar image
0 Votes"
RaviVarmanMSFT-5919 answered

HI @KrishanSharma-3845

We cannot attach same names private DNS zone to the vnets.

Deploy one Private DNS Zone for "privatelink.database.windows.net" in the centralized vnet (I.e Hub) and link all the VNET to the Zone created. This will maintain all the records in the centralized manner and it will help you to resolve IP across all the VNETs.

You Can link a virtual network that belongs to a different subscription to a private zone, You must have write operation permission on the virtual networks and the private DNS zone.

Create a conditional forwarding on your OnPrem dns servers to forward all requests for Database.windows.net to the DNS forwarder in Azure. On central hub, have a VM which acts as DNS forwarder. This DNS forwarder forwards all DNS queries to Azure DNS, as we have entries on private DNS zone the IP's will be resolved.

Ref https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder

Hope this was helpful. Please let us know in case of any additional questions or concerns.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KrishanSharma-3845 avatar image
0 Votes"
KrishanSharma-3845 answered RaviVarmanMSFT-5919 commented

If I create the privatelink.database.windows.net in hub subscription then I have to assign private IP from the hub VNeT. So, I guess this is not the right approach. Spoke database should get private IP from the spoke VNeT only.
In the second approach, we need to create the forwarder zone and manually add the private of databases. is this the recommended way?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KrishanSharma-3845

It is not mandatory that if you create the privatelink.database.windows.net in hub subscription then you to have to assign private IP from the HUB VNeT, you can have entries of your SQLserver name with Ip of your spoke vnet in the HUB private DNS zone and have virtual network link to the private DNS in HUB vnet.

A specific virtual network can be linked to only one private zone if automatic registration of VM DNS records is enabled. You can however link multiple virtual networks to a single DNS zone.

Auto Registration :
This setting enables automatic creation of DNS records in this Private DNS zone, for the virtual machines connected to the virtual network.

**Ref:**https://docs.microsoft.com/en-us/azure/dns/private-dns-overview#other-considerations


0 Votes 0 ·