Merge pull request #247986 from khdownie/kendownie081023

adding private resolver to dns forwarding article

Author: v-shils

articles/storage/files/media/storage-files-networking-dns/dns-forwarding-azure-private-resolver.png

@@ -4,9 +4,8 @@ description: Learn how to configure DNS forwarding for Azure Files.
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: how-to
-ms.date: 07/02/2021
+ms.date: 08/29/2023
 ms.author: kendownie
-ms.custom: ignite-2022
 ---
 
 # Configuring DNS forwarding for Azure Files
@@ -24,36 +23,44 @@ We strongly recommend that you read [Planning for an Azure Files deployment](sto
 | Premium file shares (FileStorage), LRS/ZRS | ![Yes](../media/icons/yes-icon.png) | ![Yes](../media/icons/yes-icon.png) |
 
 ## Overview
-Azure Files provides two main types of endpoints for accessing Azure file shares: 
+Azure Files provides the following types of endpoints for accessing Azure file shares:
+
 - Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
 - Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.
+- Service endpoints, which restrict access to the public endpoint to specific virtual networks. You still access the storage account via the public IP address, but access is only possible from the locations you specify in your configuration.
 
 Public and private endpoints exist on the Azure storage account. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues.
 
 Every storage account has a fully qualified domain name (FQDN). For the public cloud regions, this FQDN follows the pattern `storageaccount.file.core.windows.net` where `storageaccount` is the name of the storage account. When you make requests against this name, such as mounting the share on your workstation, your operating system performs a DNS lookup to resolve the fully qualified domain name to an IP address.
 
 By default, `storageaccount.file.core.windows.net` resolves to the public endpoint's IP address. The public endpoint for a storage account is hosted on an Azure storage cluster which hosts many other storage accounts' public endpoints. When you create a private endpoint, a private DNS zone is linked to the virtual network it was added to, with a CNAME record mapping `storageaccount.file.core.windows.net` to an A record entry for the private IP address of your storage account's private endpoint. This enables you to use `storageaccount.file.core.windows.net` FQDN within the virtual network and have it resolve to the private endpoint's IP address.
 
-Since our ultimate objective is to access the Azure file shares hosted within the storage account from on-premises using a network tunnel such as a VPN or ExpressRoute connection, you must configure your on-premises DNS servers to forward requests made to the Azure Files service to the Azure private DNS service. To accomplish this, you need to set up *conditional forwarding* of `*.core.windows.net` (or the appropriate storage endpoint suffix for the US Government, Germany, or China national clouds) to a DNS server hosted within your Azure virtual network. This DNS server will then recursively forward the request on to Azure's private DNS service that will resolve the fully qualified domain name of the storage account to the appropriate private IP address.
+Because our ultimate objective is to access the Azure file shares hosted within the storage account from on-premises using a network tunnel such as a VPN or ExpressRoute connection, you must configure your on-premises DNS servers to forward requests made to the Azure Files service to the Azure private DNS service. 
+
+You can configure DNS forwarding one of two ways:
+
+- **Use DNS server VMs:** Set up *conditional forwarding* of `*.core.windows.net` (or the appropriate storage endpoint suffix for the US Government, Germany, or China national clouds) to a DNS server virtual machine hosted within your Azure virtual network. This DNS server will then recursively forward the request on to Azure's private DNS service, which will resolve the FQDN of the storage account to the appropriate private IP address. This is a one-time step for all the Azure file shares hosted within your virtual network.
 
-Configuring DNS forwarding for Azure Files will require running a virtual machine to host a DNS server to forward the requests, however this is a one time step for all the Azure file shares hosted within your virtual network. Additionally, this is not an exclusive requirement to Azure Files - any Azure service that supports private endpoints that you want to access from on-premises can make use of the DNS forwarding you will configure in this guide, including Azure Blob storage, Azure SQL, and Azure Cosmos DB.
+- **Use Azure DNS Private Resolver:** If you don't want to deploy a VM-based DNS server, you can accomplish the same task using Azure DNS Private Resolver.
 
-This guide shows the steps for configuring DNS forwarding for the Azure storage endpoint, so in addition to Azure Files, DNS name resolution requests for all of the other Azure storage services (Azure Blob storage, Azure Table storage, Azure Queue storage, etc.) will be forwarded to Azure's private DNS service. Additional endpoints for other Azure services can also be added if desired. DNS forwarding back to your on-premises DNS servers will also be configured, enabling cloud resources within your virtual network (such as a DFS-N server) to resolve on-premises machine names. 
+In addition to Azure Files, DNS name resolution requests for other Azure storage services (Azure Blob storage, Azure Table storage, Azure Queue storage, etc.) will be forwarded to Azure's private DNS service. You can add additional endpoints for other Azure services if desired.
 
 ## Prerequisites
-Before you can setup DNS forwarding to Azure Files, you need to have completed the following steps:
+Before you can set up DNS forwarding to Azure Files, you'll need the following:
 
-- A storage account containing an Azure file share you would like to mount. To learn how to create a storage account and an Azure file share, see [Create an Azure file share](storage-how-to-create-file-share.md).
-- A private endpoint for the storage account. To learn how to create a private endpoint for Azure Files, see [Create a private endpoint](storage-files-networking-endpoints.md#create-a-private-endpoint).
+- A storage account containing an Azure file share you'd like to mount. To learn how to create a storage account and an Azure file share, see [Create an Azure file share](storage-how-to-create-file-share.md).
+- A private endpoint for the storage account. See [Create a private endpoint](storage-files-networking-endpoints.md#create-a-private-endpoint).
 - The [latest version](/powershell/azure/install-azure-powershell) of the Azure PowerShell module.
 
-> [!Important]  
-> This guide assumes you're using the DNS server within Windows Server in your on-premises environment. All of the steps described in this guide are possible with any DNS server, not just the Windows DNS Server.
+## Configure DNS forwarding using VMs
+If you already have DNS servers in place within your Azure virtual network, or if you prefer to deploy your own DNS server VMs by whatever methodology your organization uses, you can configure DNS with the built-in DNS server PowerShell cmdlets.
 
-## Configuring DNS forwarding
-If you already have DNS servers in place within your Azure virtual network, or if you simply prefer to deploy your own virtual machines to be DNS servers by whatever methodology your organization uses, you can configure DNS with the built-in DNS server PowerShell cmdlets.
+:::image type="content" source="media/storage-files-networking-dns/dns-forwarding-azure-virtual-machines.png" alt-text="Diagram showing the network topology for configuring D N S forwarding using virtual machines in Azure." lightbox="media/storage-files-networking-dns/dns-forwarding-azure-virtual-machines.png" border="false":::
 
-On your on-premises DNS servers, create a conditional forwarder using `Add-DnsServerConditionalForwarderZone`. This conditional forwarder must be deployed on all of your on-premises DNS servers to be effective at properly forwarding traffic to Azure. Remember to replace `<azure-dns-server-ip>` with the appropriate IP addresses for your environment.
+> [!Important]
+> This guide assumes you're using the DNS server within Windows Server in your on-premises environment. All of the steps described here are possible with any DNS server, not just the Windows DNS Server.
+
+On your on-premises DNS servers, create a conditional forwarder using `Add-DnsServerConditionalForwarderZone`. This conditional forwarder must be deployed on all of your on-premises DNS servers to be effective at properly forwarding traffic to Azure. Remember to replace the `<azure-dns-server-ip>` entries with the appropriate IP addresses for your environment.
 
 ```powershell
 $vnetDnsServers = "<azure-dns-server-ip>", "<azure-dns-server-ip>"
@@ -67,20 +74,44 @@ Add-DnsServerConditionalForwarderZone `
         -MasterServers $vnetDnsServers
 ```
 
-On the DNS servers within your Azure virtual network, you also will need to put a forwarder in place such that requests for the storage account DNS zone are directed to the Azure private DNS service, which is fronted by the reserved IP address `168.63.129.16`. (Remember to populate `$storageAccountEndpoint` if you're running the commands within a different PowerShell session.)
+On the DNS servers within your Azure virtual network, you'll also need to put a forwarder in place so that requests for the storage account DNS zone are directed to the Azure private DNS service, which is fronted by the reserved IP address `168.63.129.16`. (Remember to populate `$storageAccountEndpoint` if you're running the commands within a different PowerShell session.)
 
 ```powershell
 Add-DnsServerConditionalForwarderZone `
         -Name $storageAccountEndpoint `
         -MasterServers "168.63.129.16"
 ```
 
+## Configure DNS forwarding using Azure DNS Private Resolver
+If you prefer not to deploy DNS server VMs, you can accomplish the same task using Azure DNS Private Resolver. See [Create an Azure DNS Private Resolver using the Azure portal](../../dns/dns-private-resolver-get-started-portal.md).
+
+:::image type="content" source="media/storage-files-networking-dns/dns-forwarding-azure-private-resolver.png" alt-text="Diagram showing the network topology for configuring D N S forwarding using Azure D N S Private Resolver." lightbox="media/storage-files-networking-dns/dns-forwarding-azure-private-resolver.png" border="false":::
+
+There's no difference in how you configure your on-premises DNS servers, except that instead of pointing to the IP addresses of the DNS servers in Azure, you point to the resolver's inbound endpoint IP address. The resolver doesn't require any configuration, as it will forward queries to the Azure private DNS server by default. If a private DNS zone is linked to the VNet where the resolver is deployed, the resolver will be able to reply with records from that DNS zone.
+
+> [!Warning]
+> When configuring forwarders for the *core.windows.net* zone, all queries for this public domain will be forwarded to your Azure DNS infrastructure. This causes an issue when you try to access a storage account of a different tenant that has been configured with private endpoints, because Azure DNS will answer the query for the storage account public name with a CNAME that doesn’t exist in your private DNS zone. A workaround for this issue is to create a cross-tenant private endpoint in your environment to connect to that storage account.
+
+To configure DNS forwarding using Azure DNS Private Resolver, run this script on your on-premises DNS servers. Replace `<resolver-ip>` with the resolver's inbound endpoint IP address.
+
+```powershell
+$privateResolver = "<resolver-ip>"
+
+$storageAccountEndpoint = Get-AzContext | `
+    Select-Object -ExpandProperty Environment | `
+    Select-Object -ExpandProperty StorageEndpointSuffix
+
+Add-DnsServerConditionalForwarderZone `
+        -Name $storageAccountEndpoint `
+        -MasterServers $privateResolver
+```
+
 ## Confirm DNS forwarders
-Before testing to see if the DNS forwarders have successfully been applied, we recommend clearing the DNS cache on your local workstation using `Clear-DnsClientCache`. To test to see if you can successfully resolve the fully qualified domain name of your storage account, use `Resolve-DnsName` or `nslookup`.
+Before testing to see if the DNS forwarders have successfully been applied, we recommend clearing the DNS cache on your local workstation using `Clear-DnsClientCache`. To test if you can successfully resolve the FQDN of your storage account, use `Resolve-DnsName` or `nslookup`.
 
 ```powershell
 # Replace storageaccount.file.core.windows.net with the appropriate FQDN for your storage account.
-# Note the proper suffix (core.windows.net) depends on the cloud you're deployed in.
+# Note that the proper suffix (core.windows.net) depends on the cloud you're deployed in.
 Resolve-DnsName -Name storageaccount.file.core.windows.net
 ```
 
@@ -99,7 +130,7 @@ Section    : Answer
 IP4Address : 192.168.0.4
 ```
 
-If you're mounting an SMB file share, you can also use the following `Test-NetConnection` command to see that a TCP connection can be successfully made to your storage account.
+If you're mounting an SMB file share, you can also use the `Test-NetConnection` command to confirm that a TCP connection can be successfully made to your storage account.
 
 ```PowerShell
 Test-NetConnection -ComputerName storageaccount.file.core.windows.net -CommonTCPPort SMB