You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/private-link/private-endpoint-dns-integration.md
+32-1Lines changed: 32 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,6 +34,8 @@ Based on your preferences, the following scenarios are available with DNS resolu
34
34
-[Azure Private Resolver with on-premises DNS forwarder](#on-premises-workloads-using-a-dns-forwarder)
35
35
36
36
-[Azure Private Resolver for virtual network and on-premises workloads](#virtual-network-and-on-premises-workloads-using-a-dns-forwarder)
37
+
38
+
-[On-premises workloads using a DNS forwarder without Azure Private Resolver)](#on-premises-workloads-using-a-dns-forwarder-without-azure-private-resolver)
37
39
38
40
## Virtual network workloads without Azure Private Resolver
39
41
@@ -67,6 +69,31 @@ In this scenario, there's a [hub and spoke](/azure/architecture/reference-archit
67
69
68
70
:::image type="content" source="media/private-endpoint-dns/hub-and-spoke-azure-dns.png" alt-text="Diagram of hub and spoke with Azure-provided DNS." lightbox="media/private-endpoint-dns/hub-and-spoke-azure-dns.png":::
69
71
72
+
## On-premises workloads using a DNS forwarder without Azure Private Resolver
73
+
74
+
This configuration is appropriate for on-premises networks that already have a DNS solution in place and don't use Azure Private Resolver. In this scenario, the on-premises DNS server is configured to forward DNS queries for Azure private endpoint zones to the Azure-provided DNS service.
75
+
76
+
> [!NOTE]
77
+
> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](private-endpoint-dns.md).
78
+
79
+
To configure properly, you need the following resources:
80
+
81
+
- On-premises network with a custom DNS solution in place
82
+
- Virtual network [connected to on-premises](/azure/architecture/reference-architectures/hybrid-networking/)
83
+
- Private DNS zone [privatelink.database.windows.net](../dns/private-dns-privatednszone.md) with [type A record](../dns/dns-zones-records.md#record-types)
84
+
- Private endpoint information (FQDN record name and private IP address)
85
+
86
+
The on-premises DNS server is configured with a conditional forwarder for the private DNS zone that forwards queries to the [Azure-provided DNS IP address](../virtual-network/what-is-ip-address-168-63-129-16.md).
87
+
88
+
> [!IMPORTANT]
89
+
> The conditional forwarding must be made to the recommended public DNS zone forwarder. For example: `database.windows.net` instead of **privatelink**.database.windows.net.
90
+
91
+
This approach allows on-premises workloads to resolve Azure private endpoint FQDNs to their private IP addresses without deploying Azure Private Resolver.
92
+
93
+
The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):
94
+
95
+
<!-- :::image type="content" source="media/private-endpoint-dns/on-premises-forwarding-to-azure.png" alt-text="Diagram of on-premises forwarding to Azure DNS without Azure Private Resolver." lightbox="media/private-endpoint-dns/on-premises-forwarding-to-azure.png"::: -->
96
+
70
97
## Azure Private Resolver for on-premises workloads
71
98
72
99
For on-premises workloads to resolve the FQDN of a private endpoint, use Azure Private Resolver to resolve the Azure service public DNS zone in Azure. Azure Private Resolver is an Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder.
@@ -155,6 +182,7 @@ The resolution is made by a private DNS zone [linked to a virtual n
155
182
156
183
:::image type="content" source="media/private-endpoint-dns/hybrid-scenario.png" alt-text="Diagram of hybrid scenario with private DNS zone." lightbox="media/private-endpoint-dns/hybrid-scenario.png":::
157
184
185
+
158
186
## Private DNS zone group
159
187
160
188
If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group has a strong association between the private DNS zone and the private endpoint. It helps with managing the private DNS zone records when there's an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated with the correct number of records.
@@ -169,5 +197,8 @@ In a hub-and-spoke topology, a common scenario allows the creation of private DN
169
197
> - Adding multiple DNS zone groups to a single Private Endpoint isn't supported.
170
198
> - Delete and update operations for DNS records can be seen performed by **Azure Traffic Manager and DNS.** This is a normal platform operation necessary for managing your DNS Records.
171
199
172
-
## Next steps
200
+
## Related Content
173
201
-[Learn about private endpoints](private-endpoint-overview.md)
202
+
-[Private endpoint private DNS zone values](private-endpoint-dns.md)
0 commit comments