question

AmyZ-5475 avatar image
0 Votes"
AmyZ-5475 asked PramodValavala-MSFT edited

Is Azure Private DNS the only way to solve internal FQDN resolution

Hi, we want to know if setting a Azure Private DNS in our VNET is the only way to solve the on-premise backend which cannot be resolved by default Azure DNS.

Our environment and attempts.

Backend : Dynamic Navision (on-premise), installed on AWS EC2 in private network.

Test 1 : Use FQDN
Result : The remote name could not be resolved : navstg.mycompany.com

Test 2 : Use IP - default
Result : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
"The remote certificate is invalid according to the validation procedure https://10.123.4.56:10748

Test 3 : Use ip - on APIM , disable Validate certificate chain
Result : pass, but might be insecure. ( already consult [here][1] )

Test 4 : Use ip- on APIM , enable Validate certificate chain , install certificate provided by backend team
Result : Same like Test 2
We guess the failure is from the mismatch between ip and CNAME on the certificate.
![118539-image.png][2]

It looks like ip, especially internal IP, cannot be use to apply for CA, so we need to back to Test 1 and try to solve the DNS problem.
[1]: https://docs.microsoft.com/en-us/answers/questions/491411/is-disabling-validate-certificate-chain-safe.html
[2]: /answers/storage/attachments/118539-image.png

Since our backends are hybrid, with internal on-premise systems and external cloud systems, if having a Azure Private DNS, does that mean we need to maintain both internal and external mappings ? Not sure the effort on this . Or any of you experts have other thoughts on this problem ?

Any advice and suggestions will be greatly appreciated

Thank you

azure-api-managementazure-dns
image.png (15.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered

@AmyZ-5475 Azure Private DNS is one way to control name resolution for resources in azure virtual networks. You can use your own DNS server as well.

Note that this requires your azure resources to be configured to use the VNET. For IaaS resources like VMs, they are already inside a VNET but for PaaS services like Web Apps will require configuration.

In case of APIM, you will have to deploy it inside a VNET for it to leverage your DNS Servers.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.