您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure DNS Private zones scenariosAzure DNS Private zones scenarios

Azure DNS 专用区域在虚拟网络内或虚拟网络之间提供名称解析功能。Azure DNS Private Zones provide name resolution within a virtual network as well as between virtual networks. 在本文中,我们将查看可以使用此功能实现的一些常见方案。In this article, we look at some common scenarios that can be realized using this feature.

方案:在单个虚拟网络范围内的名称解析Scenario: Name Resolution scoped to a single virtual network

在此方案中,你在 Azure 中有一个包含大量 Azure 资源的虚拟网络,包括虚拟机 (VM)。In this scenario, you have a virtual network in Azure that has a number of Azure resources in it, including virtual machines (VMs). 你希望通过一个特定域名(DNS 区域)从虚拟网络内解析资源,并且你要求名称解析是专用的并且不可从 Internet 访问。You want to resolve the resources from within the virtual network via a specific domain name (DNS zone), and you need the name resolution to be private and not accessible from the internet. 而且,对于 VNET 中的 VM,你要求 Azure 自动将它们注册到 DNS 区域中。Furthermore, for the VMs within the VNET, you need Azure to automatically register them into the DNS zone.

下面描绘了此方案。This scenario is depicted below. 名为“A”的虚拟网络包括两个 VM(VNETA-VM1 和 VNETA-VM2)。Virtual Network named "A" contains two VMs (VNETA-VM1 and VNETA-VM2). 它们每个都关联了专用 IP。Each of these have Private IPs associated. 在你创建名为 contoso.com 的专用区域并将此虚拟网络作为“注册”虚拟网络进行链接后,Azure DNS 将自动在该区域中创建两个 A 记录,如下图中所示。Once you create a Private Zone named contoso.com and link this virtual network as a Registration virtual network, Azure DNS will automatically create two A records in the zone as depicted. 现在,从 VNETA-VM1 发出的对 VNETA-VM2.contoso.com 进行解析的 DNS 查询将收到包含 VNETA-VM2 的专用 IP 的 DNS 响应。Now, DNS queries from VNETA-VM1 to resolve VNETA-VM2.contoso.com will receive a DNS response that contains the Private IP of VNETA-VM2. 而且,如你所料,从 VNETA-VM2 发出的对 VNETA-VM1 的专用 IP (10.0.0.1) 的反向 DNS 查询 (PTR) 将收到包含 VNETA-VM1 的名称的 DNS 响应。Furthermore, a Reverse DNS query (PTR) for the Private IP of VNETA-VM1 (10.0.0.1) issued from VNETA-VM2 will receive a DNS response that contains the name of VNETA-VM1, as expected.

单虚拟网络解析

方案:跨虚拟网络的名称解析Scenario: Name Resolution across virtual networks

此方案是更常见的案例,其中,你需要将一个专用区域与多个虚拟网络进行关联。This scenario is the more common case where you need to associate a Private Zone with multiple virtual networks. 此方案适合中心辐射模型之类的体系结构,其中有一个位于中央的中心虚拟网络,多个其他辐射虚拟网络都连接到中心虚拟网络。This scenario can fit architectures such as the Hub-and-Spoke model where there is a central Hub virtual network to which multiple other Spoke virtual networks are connected. 中央的中心虚拟网络可以作为“注册”虚拟网络链接到专用区域,辐射虚拟网络可以作为“解析”虚拟网络进行链接。The central Hub virtual network can be linked as the Registration virtual network to a private zone, and the Spoke virtual networks can be linked as Resolution virtual networks.

下图显示了此方案的一个简单版本,其中只有两个虚拟网络 - A 和 B。A 被指定为“注册”虚拟网络,B 被指定为“解析”虚拟网络。The following diagram shows a simple version of this scenario where there are only two virtual networks - A and B. A is designated as a Registration virtual network and B is designated as a Resolution virtual network. 目的是使两个虚拟网络共享公用区域 contoso.com。The intent is for both virtual networks to share a common zone contoso.com. 当创建了该区域并将“解析”和“注册”虚拟网络链接到该区域后,Azure 将自动为虚拟网络 A 中的 VM(VNETA-VM1 和 VNETA-VM2)注册 DNS 记录。你还可以手动为“解析”虚拟网络 B 中的 VM 将 DNS 记录添加到该区域中。使用此设置时,对于正向和反向 DNS 查询,你将会看到以下行为:When the zone is created and the Resolution and Registration virtual networks are linked to the zone, Azure will automatically register DNS records for the VMs (VNETA-VM1 and VNETA-VM2) from the virtual network A. You can also manually add DNS records into the zone for VMs in the Resolution virtual network B. With this setup, you will observe the following behavior for forward and reverse DNS queries:

  • 从“解析”虚拟网络 B 中的 VNETB-VM1 发出的针对 VNETA-VM1.contoso.com 的 DNS 查询将收到包含 VNETA-VM1 的专用 IP 的 DNS 响应。A DNS query from VNETB-VM1 in the Resolution virtual network B, for VNETA-VM1.contoso.com, will receive a DNS response containing the Private IP of VNETA-VM1.
  • 从“解析”虚拟网络 B 中的 VNETB-VM2 发出的针对 10.1.0.1 的反向 DNS (PTR) 查询将收到包含 FQDN VNETB-VM1.contoso.com 的 DNS 响应。A Reverse DNS (PTR) query from VNETB-VM2 in the Resolution virtual network B, for 10.1.0.1, will receive a DNS response containing the FQDN VNETB-VM1.contoso.com.
  • 从“解析”虚拟网络 B 中的 VNETB-VM3 发出的针对 10.0.0.1 的反向 DNS (PTR) 查询将收到 NXDOMAIN。A Reverse DNS (PTR) query from VNETB-VM3 in the Resolution virtual network B, for 10.0.0.1, will receive NXDOMAIN. 原因是反向 DNS 查询的范围仅限于同一虚拟网络。The reason is that Reverse DNS queries are only scoped to the same virtual network.

多虚拟网络解析

方案:水平分割功能Scenario: Split-Horizon functionality

在此方案中,你希望根据客户端所在的位置(位于 Azure 内部,还是位于外部在 Internet 上)为同一 DNS 区域实现不同的 DNS 解析行为。In this scenario, you have a use case where you want to realize different DNS resolution behavior depending on where the client sits (inside of Azure or out on the internet), for the same DNS zone. 例如,你的应用程序可能有专用和公用版本,它们具有不同的功能或行为,但你希望为两个版本使用同一域名。For example, you may have a private and public version of your application that has different functionality or behavior, but you want to use the same domain name for both versions. 可以使用 Azure DNS 通过创建同名的公用 DNS 区域和专用区域来实现此方案。This scenario can be realized with Azure DNS by creating a Public DNS zone as well as a Private Zone, with the same name.

下图描绘了此方案。The following diagram depicts this scenario. 虚拟网络 A 中有两个 VM(VNETA-VM1 和 VNETA-VM2),它们同时分配有专用 IP 和公用 IP。You have a virtual network A that has two VMs (VNETA-VM1 and VNETA-VM2) which have both Private IPs and Public IPs allocated. 你创建一个名为 contoso.com 的公用 DNS 区域,并且将这些 VM 的公用 IP 注册为该区域中的 DNS 记录。You create a Public DNS zone called contoso.com and register the Public IPs for these VMs as DNS records within the zone. 你还创建名称也是 contoso.com 的一个专用 DNS 区域,并将 A 指定为“注册”虚拟网络。You also create a Private DNS zone also called contoso.com specifying A as the Registration virtual network. Azure 会自动将 VM 作为 A 记录注册到专用区域中并指向其专用 IP。Azure automatically registers the VMs as A records into the Private Zone, pointing to their Private IPs.

现在,当 Internet 客户端发出 DNS 查询来查找 VNETA-VM1.contoso.com 时,Azure 将返回来自公用区域的公用 IP 记录。Now when an internet client issues a DNS query to look up VNETA-VM1.contoso.com, Azure will return the Public IP record from the public zone. 如果同一虚拟网络 A 中的另一 VM(例如 VNETA-VM2)发出同一 DNS 查询,则 Azure 将返回来自专用区域的专用 IP 记录。If the same DNS query is issued from another VM (for example: VNETA-VM2) in the same virtual network A, Azure will return the Private IP record from the private zone.

裂脑解析

后续步骤Next steps

若要详细了解专用 DNS 区域,请参阅将 Azure DNS 用于专用域To learn more about private DNS zones, see Using Azure DNS for private domains.

了解如何在 Azure DNS 中创建专用 DNS 区域Learn how to create a private DNS zone in Azure DNS.

若要了解 DNS 区域和记录,请访问 DNS 区域和记录概述Learn about DNS zones and records by visiting: DNS zones and records overview.

了解 Azure 的一些其他关键网络功能Learn about some of the other key networking capabilities of Azure.