paolosalvatori / private-endpoints-topologies Goto Github PK

Sorry for asking a question here, but your solution may have solved a big problem of ours.

We setup a Hub/Spoke topology with Private DNS, but it only supports a single AMPLS in the hub due to DNS dependencies.

This is limitation at scale, and we would prefer to use a Log Analytics Cluster in the spoke for security reasons.

I was simply wondering if the Decentralized DNS solution you proposed would allow an AMPLS per spoke?

First I would like to congratulate on the extensive article on private endpoints topologies! It has been very helpful to me and my colleagues to derive a nice strategy for private endpoints in our organization.

We are following the guidelines for the Enterprise Scale adoption by Microsoft, and making some adjustments to our hub and spoke model to adapt to some networking challenges we face.

I'm trying to adapt the CreatePrivateDnsZoneGroup policy to our scenario, but I'm not having success with it.

Our scenario is the following:

We have two subscriptions, SubsDNS and SubsNetworks

On SubsDNS, we have all of the privatelink.* DNS Zones created.

On SubsNetworks, we have VNET-A and VNET-B created.

The goal we want to achieve is:

When a private endpoint is created in VNET-A, the Policy for CreatePrivateDnsZoneGroup runs a DeployIfNotExists, and creates the DNS register on the correspondent privatelink.* DNS Zone on SubsDNS.

If the private endpoint is created in VNET-B, the Policy ignores it.

Now, I've been trying to tamper with the policy you posted to do the following:

I've added an extra condition in the if-allOf box to check for the subnet.id of where the private endpoint was created.

    {
      "field": "Microsoft.Network/privateEndpoints/subnet.id",
      "equals": "[parameters('subnetId')]"
    }

But the policy is showing as "Compliant" even without the DNS entry created on SubsDNS.

I'm new to the Azure Policies part, and I still find it somewhat confusing and hard to troubleshoot. I would appreciate if you have any tips on how to overcome this.

Regards!

Under the cons for Decentralized approach, it is stated that custom dns servers are required and it states "This requirement is necessary because the Azure-provided DNS and Private DNS Zones do not support DNS forwarding and conditional forwarding." - Are forwarding rulesets and associated links not an option here ?

Thanks for the interesting document. I found a couple of links that probably should point directly to docs.microsoft.com.

Paolo
thank you a lot for such detailed and scrupulous manuals
It helped a lot of engineers to succeed

I have a practical question about implementing azure private DNS zones for existing resources, that are being used via public IPs

I am testing an implementation of private endpoints together with private DNS zones in a hybrid azure network (with on-prem part) for existing resources.
I have a setup as here: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale

The problem is, as I mentioned, resources already exist and are used through external/public IP (with firewalls sure thing). As soon as enable the setup between a private DNS zone and a DNS Forwarder, nslookup from a private network starts using it in priority:
If the Private DNS Zone contains created in advance A-records - it works as expected - it resolves private IP.
If it does not - it resolves nothing. I expected it to redirect me to a public DNS in azure and resolve Public IP.

I have a lot of resources created in the past, I do not have the whole list of them, and the setup without pre-created DNS records in this case introduces potential issues and precludes seamless implementation.

Do you know if it is possible to resolve a public IP from inside the virtual network with the existing private DNS zone if the A record does not exist?
For instance,
There is a DB exposed via public IP and name ylo_pc.database.windows.net
I created a private DNS zone privatelink.database.windows.net and linked it to a DNS forwarder, but have not created A-record yet (let's imagine somewhere in other team people use a DB that I am not aware of)
and I cannot resolve ylo_pc.database.windows.net to public from the private network if A record does not exist

Excuse me for a long description wanted to make the case detailed)

Hi Paolo,
probably some resources were moved and this results on a broken link
here
https://github.com/paolosalvatori/private-endpoints-topologies#samples
I thin they should point to something like this
https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.documentdb/cosmosdb-private-endpoint

Hello

I tried both of the json templates for deploying a private DNS sone for storage accounts in my tenant. But it seems to not find any resources. I pointed it to the right Private DNS sone that is created.

The first one is not finding any resources. The 2nd fails saying it can't find the private dns sone id.

I have updated the config as far as i can see to the correct values. But im not a policy or json expert so id apriciate some help.

I have tried using the built-in policy that was used for service bus and key vault. But that only picks up those resources.

Thanks
Jan-Tore

Hi @paolosalvatori

thanks for you intensive article about DNS zone in a hub and spoke architecture.

We are new to azure, building a hybrid cloud from scratch use the recommend hub and spoke model.

Starting with Private AKS cluster, it looks like the private endpoint for AKS are different compared to a private endpoint for storage account.

If you create a private aks cluster, the azure will create an endpoint and a dns zone (it's possible to BYO DNS zone).

The DNS records inside the DNS zone are managed by AKS directly. PrivateDnsZoneGroup are not used here. The cluster used a privileged managed identity to configure the record inside the DNS zone.

The IP of the endpoint is not static. Azure says, the IP can be changed for maintenance reasons.

Since AKS does not use PrivateDnsZoneGroup here, use Policies with DeployIfNotExists (like https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale) does not work here. We try this in our lab, the Private Endpoint gets linked with the dns zone, but no records are created. Additionally, the policy are too slow, since the records the required due the setup of the AKS cluster.

Using a central DNS Zone privatelink.westeurope.azmk8s.io inside the hub could work, but every AKS cluster needs "Private DNS Zone Contributor" permissions the create records in this zone.

Did you have any alternatives solutions for this case?

I think there is a slight mistake on image1...

The image shows step 5 going via private endpoint 10.0.0.6 (for abc.dfs.core.windows.net) but the words for step 5 (correctly) state it's going via 10.0.0.5 to get to xyz.blob.core.windows.net.

1. Under Topology, in the main diagram, the right-side HUB-NE is mis-labelled. It should be HUB-WE

2. Under 'Decentralized Topology for ..." title, the first statement is incorrect. It should read "the DEcentralized topology is characterized...."