You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/dns/dns-security-policy.md
+13-7Lines changed: 13 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,21 +29,23 @@ DNS logs can be sent to a storage account, log analytics workspace, or event hub
29
29
30
30
A DNS security policy has the following associated elements and properties:
31
31
-**[Location](#location)**: The Azure region where the security policy is created and deployed.
32
-
-**[DNS traffic rules](#dns-traffic-rules)**: Rules that allow, block, or alert based on priority and domain lists. Rules can be enabled or disabled.
33
-
-**[Virtual network links](#virtual-network-links)**: A link that associates the security policy to a VNet. You can link one security policy per VNet. A single security policy can be associated to multiple VNets.
32
+
-**[DNS traffic rules](#dns-traffic-rules)**: Rules that allow, block, or alert based on priority and domain lists.
33
+
-**[Virtual network links](#virtual-network-links)**: A link that associates the security policy to a VNet.
34
34
-**[DNS domain lists](#dns-domain-lists)**: Location-based lists of DNS domains.
35
35
36
36
DNS Security Policy can be configured using Azure PowerShell or the Azure portal.
37
37
38
-
###Location
38
+
## Location
39
39
40
40
A security policy can only apply to VNets in the same region. You can create any number of security policies in the same region. In the following example, two policies are created in each of two different regions (East US and Central US).
41
41
42
42
43
43
44
44
Keep in mind that >the policy:VNet relationship is 1:N. When you associate a VNet with a security policy (via virtual network links), that VNet can't then be associated with another security policy. A single DNS security policy can be associated with multiple VNets in the same region.
45
45
46
-
### DNS traffic rules
46
+
## DNS traffic rules
47
+
48
+
DNS traffic rules determine the action that is taken for a DNS query. Rules can be enabled or disabled.
47
49
48
50
To display DNS traffic rules in the Azure portal, select a DNS security policy and then under **Settings**, select **DNS Traffic Rules**. See the following example:
49
51
@@ -61,15 +63,15 @@ To display DNS traffic rules in the Azure portal, select a DNS security policy a
61
63
* Alert: Permit the query to the associated domain lists and log an alert.
62
64
- Rules can be individually **Enabled** or **Disabled**.
63
65
64
-
###Virtual network links
66
+
## Virtual network links
65
67
66
68
DNS security policies only apply to VNets that are linked to the security policy. You can link a single security policy to multiple VNets, however a single VNet can only be linked to one DNS security policy. See the following example.
67
69
68
70
[](./media/dns-security-policy/virtual-network-links.png#lightbox)
69
71
70
72
You can only link VNets that are in the same region as the security policy. When you link a VNet to a DNS security policy using a virtual network link, the DNS security policy applies to all resources inside the VNet.
71
73
72
-
###DNS domain lists
74
+
## DNS domain lists
73
75
74
76
DNS domain lists are lists of DNS domains that you associate to traffic rules. Select **DNS Domain Lists** under **Settings** for a DNS security policy to view the current domain lists associated with the policy. See the following example:
75
77
@@ -85,8 +87,12 @@ When viewing a DNS domain list in the Azure portal, you can also select **Settin
85
87
86
88
## Requirements and restrictions
87
89
90
+
Preview access
91
+
- This DNS security policy preview is offered without a requirement to enroll in a pre-release feature preview. However, to access the Azure portal user interface for this policy prior to the next portal update, you must use the [Azure portal preview-enabled link](https://ms.portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_DnsSecurityPolicy=stagingµsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_DnsSecurityPolicyHidden#browse/Microsoft.Network%2FdnsResolverDomainLists).
92
+
88
93
Virtual network restrictions:
89
-
- DNS security policies can only be applied to virtual networks in the same region as the DNS security policy.
94
+
- DNS security policies can only be applied to VNets in the same region as the DNS security policy.
95
+
- You can link one security policy per VNet. A single security policy can be associated to multiple VNets.
0 commit comments