Centralizing Azure Private DNS Zones and Automating Record Creation for PaaS Services

🎯Conceptual Overview: DNS Resolution via Private DNS Zones

Azure Private DNS Zones provide a reliable and secure DNS service to manage and resolve domain names within your virtual network without the need for a custom DNS solution. The records contained in a private DNS zone are not resolvable from the Internet, ensuring that DNS resolution against a private DNS zone works only from virtual networks linked to it.

For scenarios where DNS resolution needs to be handled through custom DNS or on-premises setups, Azure Private DNS Resolver can be deployed. This service provides recursive resolution and conditional forwarding, allowing DNS names hosted in Azure DNS private zones to be resolved from on-premises networks and vice versa.

📜Available Private DNS Zones for PaaS Services

Azure offers a comprehensive list of private DNS zones for various PaaS services. These zones ensure that private endpoints are integrated seamlessly with Azure Private DNS Zones. 

You can find the complete list of available private DNS zones for PaaS services in the Azure documentation:

📚https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

🔍 DNS configuration scenarios

 The Fully Qualified Domain Name (FQDN) of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, modify your DNS configuration.

DNS is an essential component for ensuring that the application operates correctly by resolving the private endpoint IP address accurately.

Based on your preferences, the following scenarios are available with integrated DNS resolution:

• Virtual network workloads without Azure Private Resolver
• Peered virtual network workloads without Azure Private Resolver
• Azure Private Resolver for on-premises workloads
• Azure Private Resolver with on-premises DNS forwarder
• Azure Private Resolver for virtual network and on-premises workloads

📚https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#dns-configuration-scenarios

🧰Managing DNS Configuration via Policies

To streamline the creation and management of DNS records for private endpoints, Azure Policies can be deployed. These policies ensure that DNS records are automatically created or deleted in the centralized private DNS zone when application teams deploy resources with private endpoints.

Here are the key benefits of using Azure Policies for DNS record creation:

• Scalability: Efficiently handles large numbers of policy definitions.
• Consistency: Ensures uniform policy sets across different environments.
• Time-Saving: Speeds up the creation, deployment, and updates of policy sets and assignments.
• Error Reduction: Minimizes manual errors in policy set/assignment creation and management.

Azure Policy can enforce the use of private DNS zones for PaaS services. Below are some useful policies. 

The complete list of available policies can be referenced at:

📚https://learn.microsoft.com/en-us/azure/networking/policy-reference.

🔐RBAC Limitations for Policies Identity

When deploying policies for DNS record creation, it's essential to consider RBAC limitations for policy identities. Ensure that the identities used for remediation have the necessary permissions to create and manage DNS records. This involves setting up appropriate roles and permissions to avoid any access issues. Common roles include:

• DNS Zone Contributor: Allows management of DNS zones and records.
• Network Contributor: Allows management of virtual networks and DNS settings.

🧩Script to Copy Records and Virtual Network Links

If you need to migrate records and virtual network links from one private DNS zone to a centralized one, use the following PowerShell script:

# Set Variables
$sourceSubscriptionId = "source-subscription-id"
$targetSubscriptionId = "target-subscription-id"
$sourceResourceGroup = "SourceResourceGroup"
$sourceZoneName = "SourcePrivateDNSZone"
$destinationResourceGroup = "DestinationResourceGroup"
$destinationZoneName = "DestinationPrivateDNSZone"

# Set the context to the source subscription

Set-AzContext -SubscriptionId $sourceSubscriptionId

# Get records from the source private DNS zone

$sourceRecords = Get-AzPrivateDnsRecordSet -ResourceGroupName $sourceResourceGroup -ZoneName $sourceZoneName

# Get Vnet links from the source private DNS zone

$sourceVnetLinks = Get-AzPrivateDnsVirtualNetworkLink -ResourceGroupName $sourceResourceGroup -ZoneName $sourceZoneName

# Set the context to the target subscription

Set-AzContext -SubscriptionId $targetSubscriptionId

# Create records in the destination private DNS zone

foreach ($record in $sourceRecords) {

    $recordType = $record.RecordType
    $recordName = $record.Name
    $recordTTL = $record.TTL
    $recordData = $record.Records

    # Create the record set in the destination zone

    New-AzPrivateDnsRecordSet -ResourceGroupName $destinationResourceGroup -ZoneName $destinationZoneName -Name $recordName -RecordType $recordType -TTL $recordTTL -PrivateDnsRecords $recordData

}

# Create Vnet links in the destination private DNS zone

foreach ($vnetLink in $sourceVnetLinks) {

    $vnetId = $vnetLink.VirtualNetworkId
    $linkName = $vnetLink.Name

    # Create the Vnet link in the destination zone

    New-AzPrivateDnsVirtualNetworkLink -ResourceGroupName $destinationResourceGroup -ZoneName $destinationZoneName -Name $linkName -VirtualNetworkId $vnetId

}

🧾 Conclusion

Centralizing private DNS zones for PaaS services in Azure simplifies DNS management, enhances security, and ensures consistent DNS resolution across your environment. By leveraging Azure policies and understanding RBAC limitations, you can effectively manage and enforce the use of private DNS zones. The provided script can assist in migrating DNS records and virtual network links, ensuring a smooth transition to a centralized DNS management model.

By following these guidelines, you can ensure a robust and efficient DNS management strategy for your Azure PaaS services.