Merge pull request #70760 from vhorne/dns-private-faq

update dns faq for private zones

Author: American-Dipper

articles/dns/TOC.yml

@@ -43,6 +43,10 @@
     href: dns-domain-delegation.md
   - name: FAQ
     href: dns-faq.md
+  - name: FAQ - Private DNS
+    href: dns-faq-private.md
+  - name: Using private DNS zones
+    href: private-dns-overview.md
   - name: Private DNS scenarios
     href: private-dns-scenarios.md
   - name: DNS metrics and alerts

articles/dns/dns-faq-private.md

@@ -0,0 +1,88 @@
+---
+title: Azure Private DNS FAQ
+description: Frequently asked questions about Azure Private DNS
+services: dns
+author: vhorne
+ms.service: dns
+ms.topic: article
+ms.date: 6/12/2019
+ms.author: victorh
+---
+# Azure Private DNS FAQ
+
+> [!IMPORTANT]
+> Azure Private DNS is currently in public preview.
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Does Azure DNS support private domains?
+
+Support for private domains is supported using Azure Private DNS Zones feature. Private DNS zones are managed using the same tools as internet-facing Azure DNS zones. They're resolvable only from within your specified virtual networks. For more information, see the [overview](private-dns-overview.md).
+
+For information on other internal DNS options in Azure, see [Name resolution for VMs and role instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md).
+
+## Will Azure DNS Private Zones work across Azure regions?
+
+Yes. Private Zones is supported for DNS resolution between virtual networks across Azure regions. Private Zones works even without explicitly peering the virtual networks. All the virtual networks must be specified as Resolution virtual networks for the private zone. Customers might need the virtual networks to be peered for TCP/HTTP traffic to flow from one region to another.
+
+## Is connectivity to the Internet from virtual networks required for private zones?
+
+No. Private zones work along with virtual networks. Customers use them to manage domains for virtual machines or other resources within and across virtual networks. Internet connectivity isn't required for name resolution.
+
+## Can the same private zone be used for several virtual networks for resolution?
+
+Yes. You can associate up to 1000 virtual networks with a single private zone.
+
+## Can a virtual network that belongs to a different subscription be added as a linked virtual network to a private zone?
+
+Yes. You must have write operation permission on the virtual networks and the private DNS zone. The write permission can be granted to several RBAC roles. For example, the Classic Network Contributor RBAC role has write permissions to virtual networks. For more information on RBAC roles, see [Role-based access control](../role-based-access-control/overview.md).
+
+## Will the automatically registered virtual machine DNS records in a private zone be automatically deleted when you delete the virtual machine?
+
+Yes. If you delete a virtual machine within a linked virtual network with autoregistration enabled, the registered records are automatically deleted.
+
+## Can an automatically registered virtual machine record in a private zone from a linked virtual network be deleted manually?
+
+Yes. You can overwrite the automatically registered DNS records with a manually created DNS record in the zone. The following question and answer address this topic.
+
+## What happens when I try to manually create a new DNS record into a private zone that has the same hostname as an automatically registered existing virtual machine in a linked virtual network?
+
+You try to manually create a new DNS record into a private zone that has the same hostname as an existing, automatically registered virtual machine in a linked virtual network. When you do, the new DNS record overwrites the automatically registered virtual machine record. If you try to delete this manually created DNS record from the zone again, the delete succeeds. The automatic registration happens again as long as the virtual machine still exists and has a private IP attached to it. The DNS record is re-created automatically in the zone.
+
+## What happens when we unlink a linked virtual network from a private zone? Will the automatically registered virtual machine records from the virtual network be removed from the zone too?
+
+Yes. To unlink a linked virtual network from a private zone, you update the DNS zone to remove the associated virtual network link. In this process, virtual machine records that were automatically registered are removed from the zone.
+
+## What happens when we delete a linked virtual network that's linked to a private zone? Do we have to manually update the private zone to unlink the virtual network as a linked virtual network from the zone?
+
+Yes. When you delete a linked virtual network without unlinking it from a private zone first, your deletion operation succeeds. But the virtual network isn't automatically unlinked from your private zone, if any. You must manually unlink the virtual network from the private zone. For this reason,  unlink your virtual network from your private zone before you delete it.
+
+## Will DNS resolution by using the default FQDN (internal.cloudapp.net) still work even when a private zone (for example, private.contoso.com) is linked to a virtual network?
+
+Yes. Private Zones doesn't replace the default DNS resolutions by using the Azure-provided internal.cloudapp.net zone. It's offered as an additional feature or enhancement. Whether you rely on the Azure-provided internal.cloudapp.net or on your own private zone, use the FQDN of the zone you want to resolve against.
+
+## Will the DNS suffix on virtual machines within a linked virtual network be changed to that of the private zone?
+
+No. The DNS suffix on the virtual machines in your linked virtual network stays as the default Azure-provided suffix ("*.internal.cloudapp.net"). You can manually change this DNS suffix on your virtual machines to that of the private zone.
+
+## What are the usage limits for Azure Private DNS?
+
+The following default limits apply when you use Azure Private DNS.
+
+| Resource | Default limit |
+| --- | --- |
+|Private DNS zones per subscription|1000|
+|Record sets per Private DNS zone|25,000|
+|Records per record set|20|
+|Virtual Network Links per private DNS zone|1000|
+|Virtual Networks Links per private DNS zones with auto-registration enabled|100|
+|Number of private DNS zones a virtual network can get linked to with auto-registration enabled|1|
+|Number of private DNS zones a virtual network can get linked|1000|
+
+## Is there portal support for private zones?
+
+Yes, and private zones that are already created via APIs, PowerShell, the CLI, and SDKs are visible on the Azure portal.
+
+## Next steps
+
+- [Learn more about Azure Private DNS](private-dns-overview.md)

articles/dns/dns-faq.md

@@ -5,7 +5,7 @@ services: dns
 author: vhorne
 ms.service: dns
 ms.topic: article
-ms.date: 3/21/2019
+ms.date: 6/15/2019
 ms.author: victorh
 ---
 
@@ -190,87 +190,6 @@ Internationalized domain names (IDNs) encode each DNS name by using [punycode](h
 
 To configure IDNs in Azure DNS, convert the zone name or record set name to punycode. Azure DNS doesn't currently support built-in conversion to or from punycode.
 
-## Private DNS
-
-[!INCLUDE [private-dns-public-preview-notice](../../includes/private-dns-public-preview-notice.md)]
-
-### Does Azure DNS support private domains?
-
-Support for private domains is implemented by using the Private Zones feature. This feature is currently available in public preview. Private zones are managed by using the same tools as internet-facing Azure DNS zones. They're resolvable only from within your specified virtual networks. For more information, see the [overview](private-dns-overview.md).
-
-Currently, private zones aren't supported on the Azure portal.
-
-For information on other internal DNS options in Azure, see [Name resolution for VMs and role instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md).
-
-### What's the difference between Registration virtual network and Resolution virtual network in the context of private zones?
-
-You can link virtual networks to a DNS private zone as a Registration virtual network or as a Resolution virtual network. In either case, virtual machines in the virtual network successfully resolve against records in the private zone. With a Registration virtual network, DNS records are automatically registered into the zone for the virtual machines in the virtual network. When a virtual machine in a Registration virtual network is deleted, the corresponding DNS record from the linked private zone is automatically removed. 
-
-### Will Azure DNS Private Zones work across Azure regions?
-
-Yes. Private Zones is supported for DNS resolution between virtual networks across Azure regions. Private Zones works even without explicitly peering the virtual networks. All the virtual networks must be specified as Resolution virtual networks for the private zone. Customers might need the virtual networks to be peered for TCP/HTTP traffic to flow from one region to another.
-
-### Is connectivity to the Internet from virtual networks required for private zones?
-
-No. Private zones work along with virtual networks. Customers use them to manage domains for virtual machines or other resources within and across virtual networks. Internet connectivity isn't required for name resolution. 
-
-### Can the same private zone be used for several virtual networks for resolution?
-
-Yes. Customers can associate up to 10 Resolution virtual networks with a single private zone.
-
-### Can a virtual network that belongs to a different subscription be added as a Resolution virtual network to a private zone?
-
-Yes. You must have write operation permission on the virtual networks and the private DNS zone. The write permission can be granted to several RBAC roles. For example, the Classic Network Contributor RBAC role has write permissions to virtual networks. For more information on RBAC roles, see [Role-based access control](../role-based-access-control/overview.md).
-
-### Will the automatically registered virtual machine DNS records in a private zone be automatically deleted when the virtual machines are deleted by the customer?
-
-Yes. If you delete a virtual machine within a Registration virtual network, the DNS records that were registered into the zone are automatically deleted. 
-
-### Can an automatically registered virtual machine record in a private zone from a Registration virtual network be deleted manually?
-
-No. The virtual machine DNS records that are automatically registered in a private zone from a Registration virtual network aren't visible or editable by customers. You can overwrite the automatically registered DNS records with a manually created DNS record in the zone. The following question and answer address this topic.
-
-### What happens when we try to manually create a new DNS record into a private zone that has the same hostname as an automatically registered existing virtual machine in a Registration virtual network?
-
-You try to manually create a new DNS record into a private zone that has the same hostname as an existing, automatically registered virtual machine in a Registration virtual network. When you do, the new DNS record overwrites the automatically registered virtual machine record. If you try to delete this manually created DNS record from the zone again, the delete succeeds. The automatic registration happens again as long as the virtual machine still exists and has a private IP attached to it. The DNS record is re-created automatically in the zone.
-
-### What happens when we unlink a Registration virtual network from a private zone? Will the automatically registered virtual machine records from the virtual network be removed from the zone too?
-
-Yes. To unlink a Registration virtual network from a private zone, you update the DNS zone to remove the associated Registration virtual network. In this process, virtual machine records that were automatically registered are removed from the zone. 
-
-### What happens when we delete a Registration or Resolution virtual network that's linked to a private zone? Do we have to manually update the private zone to unlink the virtual network as a Registration or Resolution  virtual network from the zone?
-
-Yes. When you delete a Registration or Resolution virtual network without unlinking it from a private zone first, your deletion operation succeeds. But the virtual network isn't automatically unlinked from your private zone, if any. You must manually unlink the virtual network from the private zone. For this reason,  unlink your virtual network from your private zone before you delete it.
-
-### Will DNS resolution by using the default FQDN (internal.cloudapp.net) still work even when a private zone (for example, private.contoso.com) is linked to a virtual network?
-
-Yes. Private Zones doesn't replace the default DNS resolutions by using the Azure-provided internal.cloudapp.net zone. It's offered as an additional feature or enhancement. Whether you rely on the Azure-provided internal.cloudapp.net or on your own private zone, use the FQDN of the zone you want to resolve against. 
-
-### Will the DNS suffix on virtual machines within a linked virtual network be changed to that of the private zone?
-
-No. The DNS suffix on the virtual machines in your linked virtual network stays as the default Azure-provided suffix ("*.internal.cloudapp.net"). You can manually change this DNS suffix on your virtual machines to that of the private zone. 
-
-### Are there any limitations for private zones during this preview?
-
-Yes. During the public preview, the following limitations exist.
-* One Registration virtual network per private zone.
-* Up to 10 Resolution virtual networks per private zone.
-* A given virtual network links to only one private zone as a Registration virtual network.
-* A given virtual network links to up to 10 private zones as a Resolution virtual network.
-* If a Registration virtual network is specified, the DNS records for the VMs from that virtual network that are registered to the private zone can't be viewed or retrieved from PowerShell, the CLI, or APIs. The VM records are registered and resolve successfully.
-* Reverse DNS works only for private IP space in the Registration virtual network.
-* Reverse DNS for a private IP that's not registered in the private zone returns "internal.cloudapp.net" as the DNS suffix. This suffix can't be resolved. An example is a private IP for a virtual machine in a virtual network that's linked as a Resolution virtual network to a private zone.
-* A virtual network must be empty when it links for the first time to a private zone as a Registration or Resolution virtual network. The virtual network then can be non-empty for future linking as a Registration or Resolution virtual network to other private zones.
-* Conditional forwarding isn't supported, for example, to enable resolution between Azure and on-premises networks. Learn how customers can realize this scenario via other mechanisms. See [Name resolution for VMs and role instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md)
-
-### Are there any quotas or limits on zones or records for private zones?
-
-There are no limits on the number of zones allowed per subscription for private zones. There are no limits on the number of record sets per zone for private zones. Both public and private zones count toward the overall DNS limits. For more information, see the [Azure subscription and service limits](../azure-subscription-service-limits.md#azure-dns-limits)
-
-### Is there portal support for private zones?
-
-Private zones that are already created via APIs, PowerShell, the CLI, and SDKs are visible on the Azure portal. But customers can't create new private zones or manage associations with virtual networks. For virtual networks associated as Registration virtual networks, automatically registered VM records aren't visible from the portal. 
-
 ## Next steps
 
 - [Learn more about Azure DNS](dns-overview.md).

articles/dns/private-dns-overview.md

@@ -58,21 +58,34 @@ Azure DNS provides the following capabilities:
 
 ## Other considerations
 
+Azure DNS has the following limitations:
+
+* Only one registration virtual network is allowed per private zone.
+* Up to 10 resolution virtual networks are allowed per private zone. This limit will be removed when this feature is generally available.
+* A specific virtual network can be linked to only one private zone as a registration virtual network.
+* A specific virtual network can be linked to up to 10 private zones as a resolution virtual network. This limit will be removed when this feature is generally available.
+* If you specify a registration virtual network, the DNS records for the VMs from that virtual network that are registered to the private zone are not viewable or retrievable from the Azure Powershell and Azure CLI APIs. The VM records are indeed registered and will resolve successfully.
+* Reverse DNS works only for private IP space in the registration virtual network.
+* Reverse DNS for a private IP that isn't registered in the private zone (for example, a private IP for a virtual machine in a virtual network that is linked as a resolution virtual network to a private zone) returns *internal.cloudapp.net* as the DNS suffix. However, this suffix isn't resolvable.
+* The virtual network must be completely empty the first time you link it to a private zone as a registration or resolution virtual network. However, the virtual network can then be non-empty for future linking as a registration or resolution virtual network, to other private zones.
+* Currently, conditional forwarding is not supported (for example, for enabling resolution between Azure and OnPrem networks). For information about how customers can realize this scenario via other mechanisms, see [Name resolution for VMs and role instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md).
 * Reverse DNS works only for private IP space in the linked virtual network
 * Reverse DNS for a private IP for a linked virtual network returns "internal.cloudapp.net" as the default suffix for the virtual machine. For virtual networks that are linked to a private zone with autoregistration enabled, reverse DNS for a private IP returns 2 FQDNs, one with default the suffix *internal.cloudapp.net* and another with the private zone suffix.
 * Conditional forwarding isn't supported. For example, to enable resolution between Azure and on-premises networks. Learn how you can enable this scenario using other mechanisms. See [Name resolution for VMs and role instances](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md)
-For common questions and answers about private zones in Azure DNS, including specific DNS registration and resolution behavior you can expect for certain kinds of operations, see the  [FAQ](./dns-faq.md#private-dns).  
+ 
+
 
 ## Pricing
 
 For pricing information, see [Azure DNS Pricing](https://azure.microsoft.com/pricing/details/dns/).
+
 ## Next steps
 
 * Learn how to create a private zone in Azure DNS by using [Azure PowerShell](./private-dns-getstarted-powershell.md) or [Azure CLI](./private-dns-getstarted-cli.md).
 
 * Read about some common [private zone scenarios](./private-dns-scenarios.md) that can be realized with private zones in Azure DNS.
 
-* For common questions and answers about private zones in Azure DNS, including specific behavior you can expect for certain kinds of operations, see [FAQ](./dns-faq.md#private-dns). 
+* For common questions and answers about private zones in Azure DNS, including specific behavior you can expect for certain kinds of operations, see [Private DNS FAQ](./dns-faq-private.md).
 
 * Learn about DNS zones and records by visiting [DNS zones and records overview](dns-zones-records.md).