How to access the Private Link resources from on-premises without on-premises DNS configuration and requiring an A Record.
There are two solutions:
Private Link - DNS lookup will default to the public endpoint IP address when a query is not originated from within the VNet. See Docs For Private Link resources, they require an on-premises DNS server with a conditional forwarder configured to the private IP address of the Azure DNS. For environments that require a CNAME record, this IP-Based solution is not applicable.
Private IP - Queries must originate from the Virtual Network to Azure DNS to resolve to a private endpoint. See Docs. To serve on-premises requests, a DNS forwarder in Azure is required to resolve the FQDN to a private IP.
The first solution requires on-premises DNS configuration and the second solution requires an A record. Neither will work in this case. Below are the steps to a third solution.
- VNET(s) with 1 subnet specifically for App Gateway, 1 subnet for private endpoints, 1 Gateway subnet, and subnets for other resources.
- VPN Gateway
- App Gateway, VM for DNS Forwarder, Privatelink.* and mycompany.com Private DNS Zones. Private Link DNS Zones.
View PDF of sample Architecture Design
- Create mycompany.com Private DNS Zone
- Linked to Vnet(s).
- "Virtual network links" Auto-Registration is enabled.
Create Windows Server VM for DNS Forwarder in the VNET with the mycompany.com Private DNS Zone. Optional: Linux solution. The Private IP will automatically register as an A Record in Private DNS Zone when setting the Auto-Registration when linking to the VNet.
VM Configuration:
- Log into Windows VM and execute command. This can also be installed by custom script extension.
Install-WindowsFeature -Name DNS -IncludeManagementTools
- Navigate to the DNS Manager -> Right Click Name -> Properties and add Azure Private DNS IP address.
- Add DNS Forwarder private IP to DNS servers to the VNet(s).
- Restart all servers and download a new VPN device.
- Clear-DnsClientCache or ipconfig /flushdns
- Resolve-DnsName -Name ftagovdnsproxy.mycompany.com
This should resolve to the private IP address.
Deploy the App Gateway in the VNet. Add an A Record in the private DNS Zone. e.g. appgw.mycompany.com
Set App Gateway to point to your App Service for the backend. The App Gateway backend is the FQDN of the App Service, which is the Private Endpoint. The configuration below is port 80 for the Frontend Listener, which has the rule to the port 443 backend for the App Service.
Q&A: Azure Private DNS Zone Child Zone from On-Prem DNS resolution