Merge pull request #111662 from ccompy/vnet-update

PRMerger19 · web-flow · commit 1f67f48965cf · 2020-04-16T22:53:46.000-07:00
az dns private zone changes
diff --git a/articles/app-service/web-sites-integrate-with-vnet.md b/articles/app-service/web-sites-integrate-with-vnet.md
@@ -4,7 +4,7 @@ description: Integrate app in Azure App Service with Azure virtual networks.
 author: ccompy
 ms.assetid: 90bc6ec6-133d-4d87-a867-fcf77da75f5a
 ms.topic: article
-ms.date: 04/15/2020
+ms.date: 04/16/2020
 ms.author: ccompy
 ms.custom: seodec18
 
@@ -37,8 +37,6 @@ Azure App Service has two variations:
 
 During the integration, your app is restarted. When integration is finished, you'll see details on the VNet you're integrated with.
 
-After your app is integrated with your VNet, it uses the same DNS server that your VNet is configured with, unless it's Azure DNS Private Zones. Currently, you can't use VNet Integration with Azure DNS Private Zones.
-
 ## Regional VNet Integration
 
 [!INCLUDE [app-service-web-vnet-types](../../includes/app-service-web-vnet-regional.md)]
@@ -195,3 +193,4 @@ For gateway-required VNet Integration, you can integrate App Service with an Azu
 [setp2saddresses]: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal#addresspool
 [VNETRouteTables]: https://docs.microsoft.com/azure/virtual-network/manage-route-table/
 [installCLI]: https://docs.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest/
+[privateendpoints]: networking/private-endpoint.md
diff --git a/includes/app-service-web-vnet-regional.md b/includes/app-service-web-vnet-regional.md
@@ -13,7 +13,7 @@ Using regional VNet Integration enables your app to access:
 * Resources across Azure ExpressRoute connections.
 * Resources in the VNet you're integrated with.
 * Resources across peered connections, which includes Azure ExpressRoute connections.
-* Private endpoints - Note: DNS must be managed separately rather than using Azure DNS private zones.
+* Private endpoints 
 
 When you use VNet Integration with VNets in the same region, you can use the following Azure networking features:
 
@@ -44,7 +44,7 @@ There are some limitations with using VNet Integration with VNets in the same re
 * You can only integrate with VNets in the same subscription as the app.
 * You can have only one regional VNet Integration per App Service plan. Multiple apps in the same App Service plan can use the same VNet.
 * You can't change the subscription of an app or a plan while there's an app that's using regional VNet Integration.
-* Your app cannot resolve addresses in Azure DNS Private Zones.
+* Your app cannot resolve addresses in Azure DNS Private Zones without configuration changes
 
 One address is used for each plan instance. If you scale your app to five instances, then five addresses are used. Since subnet size can't be changed after assignment, you must use a subnet that's large enough to accommodate whatever scale your app might reach. A /26 with 64 addresses is the recommended size. A /26 with 64 addresses accommodates a Premium plan with 30 instances. When you scale a plan up or down, you need twice as many addresses for a short period of time.
 
@@ -77,9 +77,22 @@ If you want to route all outbound traffic on-premises, you can use a route table
 
 Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic will be affected. By default, BGP routes affect only your RFC1918 destination traffic. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be affected by your BGP routes.
 
+### Azure DNS Private Zones 
+
+After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones you need to add the following app settings:
+
+1. WEBSITE_DNS_SERVER with value 168.63.129.16 
+1. WEBSITE_VNET_ROUTE_ALL with value 1
+
+These settings will send all of your outbound calls from your app into your VNet in addition to enabling your app to use Azure DNS private zones.
+
+### Private endpoints
+
+If you want to make calls to [Private Endpoints][privateendpoints], then you need to either integrate with Azure DNS Private Zones or manage the private endpoint in the DNS server used by your app. 
 
 <!--Image references-->
 [4]: ../includes/media/web-sites-integrate-with-vnet/vnetint-appsetting.png
 
 <!--Links-->
 [VNETnsg]: https://docs.microsoft.com/azure/virtual-network/security-overview/
+[privateendpoints]: https://docs.microsoft.com/azure/app-service/networking/private-endpoint
