%3CLINGO-SUB%20id%3D%22lingo-sub-1438920%22%20slang%3D%22en-US%22%3EAzure%20Private%20Link%20DNS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1438920%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EAzure%20Private%20Link%3C%2FSTRONG%3E%20is%20a%20private%20connection%20to%20Azure%20PaaS%20services.%20However%20to%20really%20understand%20private%20link%2C%20you%20need%20to%20understand%20what%20is%20happening%20under%20the%20covers%20-%20with%20DNS.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBefore%20you%20enable%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20a%20PaaS%20service%20e.g.%20Azure%20SQL%2C%20if%20you%20had%20an%20Azure%20PaaS%20service%20URL%20e.g.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(a%20global%20zone).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20had%20a%20virtual%20machine%20that%20made%20a%20request%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EThis%20DNS%20request%20resolved%20to%20a%20DNS%20CNAME%20record%20and%20was%20forwarded%20by%20using%20a%20redirect%20(CNAME)%20to%20another%20regional%20DNS%20zone%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ewesteurope1-a.control.database.windows.net%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%E2%80%93%20as%20this%20database%20was%20deployed%20into%20West%20Europe%3C%2FLI%3E%0A%3CLI%3EAnother%20lookup%20would%20take%20place%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Ewesteurope1-a.control.database.windows.net%3C%2FSTRONG%3E%2C%20which%20would%20then%20resolve%20to%20a%20DNS%20A%20record%20comprising%20of%20the%20public%20IP%20address%20of%20the%20SQL%20database%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EThis%20would%20be%20great%20if%20the%20SQL%20database%20was%20open%20to%20the%20public%20internet%2C%20but%20this%20is%20not%20good%20as%20far%20as%20security%20goes%E2%80%A6..%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20fix%20this%2C%20use%20%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E.%20After%20you%20turn%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20the%20Azure%20SQL%20database.%20Rather%20than%20having%20the%20initial%20CNAME%20redirect%20to%20a%20regional%20lookup%2C%20we%20insert%20a%20a%20different%20CNAME%20redirect%20which%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%E2%80%93%20this%20is%20for%20both%20external%20DNS%20resolution%20and%20internal%20Azure%20DNS%20resolution.%20The%20first%20two%20DNS%20resolution%20steps%20are%20as%20follows%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20had%20a%20virtual%20machine%20that%20made%20a%20request%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.database.windows.net%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EThis%20DNS%20request%20resolved%20to%20a%20DNS%20CNAME%20record%20and%20was%20forwarded%20by%20using%20a%20redirect%20(CNAME)%20to%20another%20regional%20DNS%20zone%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22has-inline-color%20has-black-color%22%3ESql321.%3C%2FSPAN%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20class%3D%22has-inline-color%20has-black-color%22%3E.database.windows.net%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EFrom%20here%2C%20the%20DNS%20forwarding%20%26amp%3B%20resolution%20this%20does%20exactly%20the%20same%20as%20before.%20However%2C%20the%20only%20difference%20here%20means%20that%20you%20can%20make%20use%20of%20split%20DNS%2C%20leverage%20an%20Azure%20internal%20DNS%20zone.%20Rather%20than%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresolving%20to%20a%20public%20CNAME%20record%2C%20you%20can%20have%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESql321.%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22has-inline-color%22%3Eprivatelink%3C%2FSPAN%3E%3C%2FFONT%3E.database.windows.net%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eresolving%20to%20a%20private%20IP%20address%20(%3CSTRONG%3EPrivate%20Link%3C%2FSTRONG%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20diagram%20below%20walks%20you%20through%20the%20process%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22language%3A%20en-AU%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2Fprivate-endpoint-dns%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2Fprivate-endpoint-dns%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20this%20Private%20Link%20DNS%20redirection%20is%20true%20for%20most%20Azure%20PaaS%20services%2C%20it%E2%80%99s%20different%20for%20services%20like%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAzure%20Monitor%3C%2FSTRONG%3E%2F%3CSTRONG%3ELog%20Analytics%3C%2FSTRONG%3E%2C%20whereas%20these%20services%20use%20AMPLS%20(Azure%20Monitor%20Private%20Link%20Scope).%20More%20details%20here%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20a%20diagram%20below%20which%20walks%20you%20through%20it.%3C%2FP%3E%0A%3CP%3EThis%20covers%20all%20URLS%20for%20Azure%20Monitor%20(Log%20Analytics)%20%26amp%3B%20Application%20Insights%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E*.ods.opinsights.azure.com%3C%2FLI%3E%0A%3CLI%3E*.oms.opinsights.azure.com%3C%2FLI%3E%0A%3CLI%3Eseauoiomsmds.blob.core.windows.net%3A443%3C%2FLI%3E%0A%3CLI%3Escadvisor.blob.core.windows.net%3A443%3CUL%3E%0A%3CLI%3ETo%20allow%20the%20Log%20Analytics%20Agent%20to%20download%20solution%20packs%2C%20the%20storage%20account%20from%20which%20MPs%20are%20downloaded%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3Escadvisorcontent.blob.core.windows.net%3A443%3CUL%3E%0A%3CLI%3Ecustom%20logs%20%2B%20iis%20log%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Annotation%202020-06-04%20104701.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196360iD758613D96B895D1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-06-04%20104701.png%22%20alt%3D%22Annotation%202020-06-04%20104701.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20style%3D%22background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fprivate-link-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20information%2C%20here's%20some%20videos%20all%20about%20Azure%20Private%20Link%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DZ0Xuvwi0838%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DZ0Xuvwi0838%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaVFV1_ZwAEY%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DaVFV1_ZwAEY%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D--ri7oy0Cgw%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D--ri7oy0Cgw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20of%20course%2C%20our%20very%20own%20docs%20site%20on%20the%20topic%20-%26nbsp%3B-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fprivate-link%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1438920%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Private%20Link%20is%20a%20private%20connection%20to%20Azure%20PaaS%20services.%20However%20to%20really%20understand%20private%20link%2C%20you%20need%20to%20understand%20what%20is%20happening%20under%20the%20covers%20%E2%80%93%20with%20DNS.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1438920%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Monitor%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivate%20Link%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Azure Private Link is a private connection to Azure PaaS services. However to really understand private link, you need to understand what is happening under the covers - with DNS.

 

Before you enable Private Link for a PaaS service e.g. Azure SQL, if you had an Azure PaaS service URL e.g. Sql321.database.windows.net (a global zone), the following would be the DNS resolution that would occur:

 

  1. You had a virtual machine that made a request to Sql321.database.windows.net
  2. This DNS request resolved to a DNS CNAME record and was forwarded by using a redirect (CNAME) to another regional DNS zone of westeurope1-a.control.database.windows.net – as this database was deployed into West Europe
  3. Another lookup would take place of westeurope1-a.control.database.windows.net, which would then resolve to a DNS A record comprising of the public IP address of the SQL database

This would be great if the SQL database was open to the public internet, but this is not good as far as security goes…..

 

To fix this, use Private Link.

 

After you turn on Private Link for the Azure SQL database. Rather than having the initial CNAME redirect to a regional lookup, we insert a a different CNAME redirect which is Sql321.privatelink.database.windows.net – this is for both external DNS resolution and internal Azure DNS resolution. The first two DNS resolution steps are as follows:

 

  1. You had a virtual machine that made a request to Sql321.database.windows.net
  2. This DNS request resolved to a DNS CNAME record and was forwarded by using a redirect (CNAME) to another regional DNS zone of Sql321.privatelink.database.windows.net

From here, the DNS forwarding & resolution this does exactly the same as before. However, the only difference here means that you can make use of split DNS, leverage an Azure internal DNS zone. Rather than Sql321.privatelink.database.windows.net resolving to a public CNAME record, you can have Sql321.privatelink.database.windows.net resolving to a private IP address (Private Link).

 

This diagram below walks you through the process:

 

Annotation 2020-06-04 104613.pnghttps://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns

 

While this exact Private Link DNS redirection is true for most Azure PaaS services, it’s slightly different for Azure Monitor/Log Analytics, due to other underlining URLs in which the MMA (Microsoft Management Agent) uses and the generic nature of the other primary Azure Monitor URLs. Azure Monitor is slightly unique whereas some of the Azure Monitor URLs are global DNS entries the same for all customers and are not customer specific (e.g. monitor.azure.com), hence the reason to use the AMPLS (Azure Monitor Private Link Scope) which then makes it more customer specific. In comparison from above, the URL Sql321.privatelink.database.windows.net is customer specific. 

 

In the Azure Portal, when you setup the Azure Monitor Private Link Scope resource (Microsoft.Insights/PrivateLinkScopes), you then choose the relevant workspace on the one side, then you tell it to setup a Private Endpoint on the other side.

 

Annotation 2020-06-30 080254.png

When creating the Private Endpoint, this process also creates the necessary Azure DNS private zones and links the Azure DNS zones to a vNet that you choose. 

 

Annotation 2020-06-30 080234.png

The AMPLS glues both sides (workspace & private endpoint) together from a backend networking perspective.

 

Some URLs for Azure Monitor are customer specific, and as you only enter in the workspace ID & key into the MMA, the MMA adds the workspace ID as the prefix to the URL in which it connects to:

  • {workspace_ID}.oms.opinsights.azure.com
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.oms.opinsights.azure.com
  • {workspace_ID}.ods.opinsights.azure.com
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.ods.opinsights.azure.com
  • {workspace_ID}.agentsvc.azure-automation.net
    • e.g. b5cd151b-34c5-4aa0-9447-3aa3d7b2c4ed.agentsvc.azure-automation.net

The DNS conditional forwarding aspect of AMPLS uses 4 primary URLs, and these should be setup like the following for the DNS private zones which ultimately map to the private endpoint:

 

  • privatelink.oms.opinsights.azure.com
  • privatelink.ods.opinsights.azure.com
  • privatelink.agentsvc.azure-automation.net
  • privatelink.monitor.azure.com

As for the other URLs for Azure Monitor (Log Analytics) & Application Insights that the MMA uses, the following discusses their behaviour when AMPLS is setup:

  • oioms(mds).blob.core.windows.net
    • Not needed if Azure Monitor is setup for Private Link. Without Private Link, MMAs use this URL to download their configuration, however with Private Link enabled for Azure Monitor (AMPLS) the MMA configuration is sent directly to the MMA bypassing the storage account.
    • Although this URL is only used without Azure Monitor Private Link, this is regional, e.g. 
      seauoiomsmds.blob.core.windows.net for Australia Southeast workspaces or ccanoioms.blob.core.windows.net for Canada Central workspaces
  • scadvisorcontent.blob.core.windows.net
    • This is to allow the MMA to download solution packs, the storage account from which MPs are downloaded
    • This is also used for updates, bug fixes or feature updates to existing solution/management packs.
    • At the time of writing, this is a temporary limitation with Private Link and as a result, customers will need to allow this URL outbound to the internet from each MMA as per this link.
  • advisor33083311296362384.blob.core.windows.net (example URL)
    • If Azure Monitor Private Link is not used, we create a storage account on behalf of customers for each workspace. This URL will be different for each customer. 
    • This URL is used if you setup and use custom logs & IIS logs. However with Azure Monitor Private Link, this is not used. 
    • To ingest custom logs on Azure Monitor Private Link, you must use your own storage accounts and associate them with Log Analytics workspace(s) as per this link.

If you're using the Update Management solution for Azure Monitor/Log Analytics, then one component of this is Azure Automation - here's the article for Private Link for Azure Automation

 

More details for AMPLS here https://docs.microsoft.com/en-gb/azure/azure-monitor/platform/private-link-security and a diagram below which walks you through it.

Annotation 2020-06-24 112458.png

 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/private-link-security

 

A good test, once you turn on Private Link for an Azure PaaS service, from outside using a tool like https://tools.dnsstuff.com/ do a DNS Lookup on the CNAME of the name one of the PaaS service URLs turned on for private link e.g. Sql321.database.windows.net, you'll notice that it will resolve to Sql321.privatelink.database.windows.net. which will then ultimately resolve to a public IP address as there's no association with the Azure DNS private zones. 

 

As for the minimum MMA (Microsoft Management Agent) to use for Private Link, its agent version 10.20.18038.

 

More information, here's some videos all about Azure Private Link:

https://www.youtube.com/watch?v=Z0Xuvwi0838

https://www.youtube.com/watch?v=aVFV1_ZwAEY

https://www.youtube.com/watch?v=--ri7oy0Cgw 

 

And of course, our very own docs site on the topic - https://docs.microsoft.com/en-us/azure/private-link/

 

2 Comments

Hi Mark, 

 

I think the on-site conditional forwarding DNS server should be using the public DNS zone.  A request for a private link URL should fail when it hits the public resource header.

 

Image%202020-08-20%20at%203.54.19%20PM

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reference Link: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using... 

Microsoft

The documentation refers to using a DNS Forwarder in Azure, not a Custom DNS server. From here - https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#41-which-conditional-fo... "On most of On-premises DNS servers fall on that category of they will have a forwarder setup to point to another DNS server in customer's DMZ or point to ISP DNS Servers. That is the most common scenario we see running on customers as shown below where the question raised is: Which zone should I configure Conditional Forwarders from my OnPrem DNS Server? The short answer it depends how your OnPrem DNS is configured. You may have an option to configure conditional forwarders to the PaaS domain zone or subdomain zone private link returned by the CNAME. In our context here for storage accounts that would be either blob.core.windows.net or privatelink.blob.core.windows.net"

 

In short, whether you have a whole bunch of recursive queries and a chain of DNS forwarding with the on-prem DNS server Vs the on-prem DNS server doing a direct DNS resolution.