Forum Discussion
What is impact of Azure Firewall update from default to custom DNS on other Vnets routing to FW
I have 4 Azure Vnets, One Prod(VMs and AKS), 2nd Dev(VMs and AKS), 3rd(Domain Controllers), 4th Azure Firewall and Application gateway. External traffic is only come from 4th Vnet resources. Vnets peering is set from 1to4, 2to4, 3to4,
Route table from 1st, 2nd, 3rd vnets are set to Azure Firewall private IP.
All Vnets have DNS server added of Domain controller private IPs.
Azure firewall has DNS setting disabled.
I am going to enable Firewall DNS settings and add the Domain Controllers DNS and enable DNS proxy.
For testing, I am going to add Firewall private IP in DNS of Dev Vnet and restart VMs.
But I did not added this in Prod Vnet.
What will be the impact on Prod Vnet Apps if they are trying to resolve IPs from domain controller? What will be the impact of Prod apps if they are trying to access azure resources(SQL, storage account)?
1 Reply
Below the potential impact on Prod VNet Apps (No DNS Changes Yet) and highlight:
1. Domain Controller Resolution
• No impact if Prod VMs still point directly to the domain controllers for DNS.
• They’ll continue resolving internal names (AD, internal FQDNs) as before.
• Azure Firewall won’t interfere unless you change their DNS settings to point to the firewall.
2. Access to Azure Resources (SQL, Storage, etc.)
• No impact unless those resources require DNS resolution that’s being filtered or cached by the firewall.
• Since Prod VMs are still using domain controller DNS directly, they’ll resolve public Azure endpoints via forwarders or default behavior of the domain controller.
