Reputation: 1465
Bicep: Private DNS zones, Private Endpoints, and DNS Records done right
I am deploying PEs in my Vnet (dedicated Snet) that are linked to Web App resources deployed with Vnet integration. My understanding is that I need to add A records in the Private DNS Zone. This is turning out to be a lot harder than I would have expected.
How do I add my DNS records in this scenario since I can't add the records until I have deployed my PEs (need the IPs)? Any suggestions on best practices? I've gone in multiple different directions and still haven't found a solution that works effectively.
My thinking is to build an output based on something like this so that I can get each PE details, but I can't seem to get it right. Or maybe there is a better way?
param privateEndpoints array
// Deploy Private Endpoints
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = [for pe in privateEndpoints: {
name: pe.name
location: pe.location
properties: {
subnet: {
id: pe.properties.subnetId
}
privateLinkServiceConnections: [
{
name: 'link-to-${pe.name}' // Logical name for the private link service connection
properties: {
privateLinkServiceId: pe.properties.privateLinkServiceId // Reference the service being linked to
groupIds: pe.properties.groupIds
}
}
]
}
}]
Upvotes: 0
Views: 169
Answers (2)
Reputation: 1465
Though not very well documented, the correct way to do this is to use Private DNS Zone Groups tied to each Private Endpoint. This is the only official documentation I could find: (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration?source=recommendations#private-dns-zone-group)
Some key points:
- A-Record will automatically be created, updated or removed on the referenced Private DNS Zone based on the Private Endpoint configuration.
- It only worked if the name of the Private DNS Zone matches exactly with the official Azure Private DNS zone name for that specified resource type (documentation)
- One Private DNS Zone Group per Private Endpoint
It will look something like this:
param privateEndpoints array
resource privateEndpointDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-05-01' = [for pe in privateEndpoints: {
name: '${pe.name}/default'
properties: {
privateDnsZoneConfigs: [
{
name: '${pe.name}-config'
properties: {
privateDnsZoneId: pe.dnsZone
}
}
]
}
}]
Upvotes: 0
Reputation: 2401
Private DNS zones, Private Endpoints, and DNS Records provisioning using bicep
While provisioning the private end point dynamically while referring the private endpoints because of DNS records unavailability until PEP creates completely.
Since Private DNS A records need private IP address assigned to each PEP these IP are dynamically provided by azure and not available at deployment and use of for_each is also might be reason.
In my approach I assigned the PEP first and get IP ready for the assignment. Once the deployment is done the Private DNS Zone Group automatically registers the A records.
Deployment:
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2024-05-01' = {
name: privateEndpointName
location: location
properties: {
subnet: {
id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, subnetName)
}
privateLinkServiceConnections: [
{
name: privateEndpointName
properties: {
privateLinkServiceId: webApp.id
groupIds: [
groupId
]
}
}
]
}
}
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: privateDnsZoneName
location: 'global'
properties: {}
}
resource vnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
parent: privateDnsZone
name: '${vnetName}-link'
location: 'global'
properties: {
registrationEnabled: false
virtualNetwork: {
id: vnet.id
}
}
}
resource dnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = {
parent: privateEndpoint
name: 'default'
properties: {
privateDnsZoneConfigs: [
{
name: 'config1'
properties: {
privateDnsZoneId: privateDnsZone.id
}
}
]
}
}
Deployement:
Refer:
Upvotes: 0
Related Questions
- Azure Private DNS configuration not working with P2S VPN
- How to redirect request of private Azure Key Vault vault.azure.net domain to private dns zone or private ip configured in private endpoint?
- Application gateway can't resolver the dns name of the private endpoint
- Identify Azure Private DNS Zone entry for Azure Database for PostgreSQL flexible server
- Azure Private DNS Zone Link to VNets
- two private endpoints with one private dns zone
- Private Endpoint between Aure App Service and MySQL Database
- How to access Azure VM from App Service in virtual network by private DNS name?
- Azure private DNS zone resolving