Skip to main content

Azure Private DNS Resolution from On-Prem

Howdy Folks

Again here with a Microsoft Azure product experience, this time it's about DNS resolutions. As you all know Microsoft Azure services have a networking feature called Private endpoints. This allows network users or services to access the MS-hosted services securely using a private IP address. I won't go into details on what and how to set up private endpoints and DNS.

Problem to Solve

Azure storage account enabled a private endpoint and integrated it with private DNS. There are servers and used required to access this storage account using the private IP address (NOT THE PUBLIC ENDPOINT). A firewall is enabled on the storage account and this disabled the public access. Every time the on-prem server tries to access the storage account AD DNS resolves to the storage account's public IP address, not the local IP.

Current Setup



Current Behaviour from On-prem

Resolution

At the moment, azure private DNS zones do not support setting up conditional forwarders. So the solution is to set up a DNS forwarder. And we need to provision this server inside an Azure virtual network that has a private DNS linked to it. Also, this server should be accessible from on-prem network Refer to the below document for the solution.

https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder






In Azure private endpoint, DNS resolution and some other DNS resolutions provided by one static IP belong to Microsoft (168.63.129.16) below article outlines the IP address details. Specially 168.63.129.16 will only respond to any query from Azure only.

https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16






Step 1 - Provisioned a new server and install DNS role in the newly provisioned server. Once done, Add the 168 IP as a forwarder in the new DNS server.


Below is the name resolution for our storage account from the new server. Looks like we can now resolve the private IP address of the storage account.

Step 2 - The next step is to create a new conditional forwarder from the AD DNS to point to the new DNS server in Azure vnet


Once this configuration is done, Servers using active directory DNS will be able to resolve to the private IP of the storage account.

This may not be an easy solution, but at the moment this is the only viable solution for this. Hopefully, in the future, we will be able to drop the intermediate DNS server part when it comes to name resolutions.

Until next time...... :)


Labels:

Comments

Post a Comment

Popular posts from this blog

Deploying an Automation Account with a Runbook and Schedule Using Bicep

Introduction Automation is a key component in many organizations' cloud strategy. Azure Automation allows you to automate the creation, deployment, and management of resources in your Azure environment. In this post, we will walk through the process of deploying an Automation Account with a Runbook and Schedule using Bicep, a new domain-specific language for deploying Azure resources. Intention My intention at the  end is to run a PowerShell  script to start and shutdown Azure VMs based on tag values. PowerShell  script that I have used is from below l ink.  And two  of me   collogue s ( Michael Turnley   and Saudh Mohomad helped to modify the  PowerShell  script. Prerequisites Before we begin, you will need the following: An Azure subscription The Azure CLI installed on your machine. The Azure Bicep extension for the Azure CLI Creating the Automation Account The first step in deploying an Automation Account with a R...
Post a Comment
Read more

Securing Azure Services with Fetian FIDO

Hey Folks  Here again with another security topic with Fetian Fido. And once again Fetian devices proved their excellent quality and stability. For this I choose Fetian K33 -  AllinPass FIDO Security Key – FEITIAN (ftsafe.com) and  K39 -  Single-button FIDO Security Keys | FEITIAN (ftsafe.com) Use case  In an organization following changes needs to be implemented.  1. Update the password policy 2. Update the user session time out to 30 minutes Once these changes being implemented, the following issues need to be addressed 1. Users' complaint new passwords need to be so long 2. Users complain sessions time out makes them work so much slower with the longer passwords 3. Etc... Solution  One of my friends reached out to me to help solve this problem. All I could think of was using passwordless auth with FIDO devices. We have decided to use Fido2 keys for better security and flexibility for the users. The FIDO (Fast IDentity Online) Alliance helps to pro...
Post a Comment
Read more

Migrating Azure DevOps Variable Groups

Howdy Folks, I was working on an application modernization project. And there was a requirement to migrate application deployments from one project to another in Azure DevOps. deployment pipelines were heavily dependent on variable groups. So, we wanted to migrate these variables group to the new project. Couldn't find any solutions in internet for this, so came up with the below scripts. You can grab the scripts from the below GitHub URL. DaniduWeerasinghe911/Migrate-Azure-DevOps-Variable-Groups: This Repo Include PowerShell Scripts relating to Migrating Azure DevOps Variable Groups (github.com) Azure DevOps Variable Groups Azure DevOps Variable Groups are a way to store and manage sets of variables that can be used across multiple pipelines in Azure DevOps. These variables can include secrets, connection strings, and other sensitive information that is needed for builds and releases. Variable Groups provide a centralized way to manage these variables and ensure that they are cons...
Post a Comment
Read more