You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/application-gateway-dns-resolution.md
+55-3Lines changed: 55 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,13 +12,65 @@ ms.author: mbender
12
12
# Understanding DNS resolution in Application Gateway
13
13
An Application Gateway is a dedicated deployment within your Virtual Network. The DNS resolution for instances of your application gateway resource, which handles incoming traffic, is also affected by your virtual network configurations. This article will discuss the Domain Name System (DNS) configurations and their impact on name resolution.
14
14
15
-
# Need for name resolution
15
+
##Need for name resolution
16
16
Application Gateway performs DNS resolution for the Fully Qualified Domain Names (FQDN) of
17
17
18
-
1)**Customer-provided FQDNs**, such as
18
+
1)**Customer-provided FQDNs**, such as
19
19
* Domain name-based backend server
20
20
* Key vault endpoint for listener certificate
21
21
* Custom error page URL
22
22
* Online Certificate Status Protocol (OCSP) verification URL
23
23
24
-
2)**Management FQDNs** that are utilized for various Azure infrastructure endpoints, forming a complete Application Gateway resource. For example, communication with management endpoints enable flow of Logs and Metrics. Thus, it is important for application gateways to internally communicate with other Azure services' endpoints having suffixes like `.windows.net` and `.azure.net`.
24
+
2)**Management FQDNs** that are utilized for various Azure infrastructure endpoints (control plane). These are the building blocks that form a complete Application Gateway resource. For example, communication with monitoring endpoints enable flow of Logs and Metrics. Thus, it is important for application gateways to internally communicate with other Azure services' endpoints having suffixes like `.windows.net`, `.azure.net`, etc.
25
+
26
+
> [!IMPORTANT]
27
+
> The management endpoint domain names that an Application Gateway resource interacts with are listed here. Depending on the type of application gateway deployment (detailed in this article), any name resolution issue for FQDNs with domain names may lead to either partial or complete loss of resource functionality.
28
+
>
29
+
> * .windows.net
30
+
> * .chinacloudapi.cn
31
+
> * .azure.net
32
+
> * .azure.cn
33
+
> * .usgovcloudapi.net
34
+
> * .azure.us
35
+
> * .microsoft.scloud
36
+
> * .msftcloudes.com
37
+
> * .microsoft.com
38
+
39
+
## DNS configuration types
40
+
Customers have different infrastructure needs, requiring various approaches to name resolution. This document outlines general DNS implementation scenarios and offers recommendations for the efficient operation of application gateway resources.
41
+
42
+
### Gateways with Public IP address (networkIsolationEnabled: False)
43
+
For public gateways, all control plane communication with Azure domains occurs through the default Azure DNS server at 168.63.129.16. In this section we will examine the potential DNS zone configuration with public application gateways, and how to prevent conflicts with Azure domain name resolution.
44
+
45
+
#### Using default Azure-provided DNS
46
+
The Azure-provided DNS comes as a default setting with all virtual networks in Azure and has an IP address 168.63.129.16. Along with resolution of any public domain names, the Azure-provided DNS provides internal name resolution for VMs that reside within the same virtual network. In this scenario, all instances of the application gateway connect to 168.63.129.16 for DNS resolution.
47
+
48
+
:::image source="media/application-gateway-dns-resolution/default-dns.png" alt-text="A diagram showing DNS resolution for Azure-provided DNS.":::
49
+
50
+
**Flow**
51
+
52
+
In this diagram, we can see,
53
+
* The Application Gateway instance talks to Azure-provided DNS (168.63.129.16) for name resolution of the backend servers FQDN "server1.contoso.com" and "server2.contoso.com", as shown with blue line.
54
+
* Similarly, the instance reaches out 168.63.129.16 for the name resolution of private link-enabled Key Vault resource, as shown in orange line. To allow an application gateway to DNS resolve the key vault endpoint to its private IP, it is important to link the Private DNS zone to that application gateway’s virtual network.
55
+
* After performing successful DNS resolutions for these FQDNs, the instance can communicate with the Key Vault and backend server endpoints.
56
+
57
+
**Considerations**
58
+
59
+
* Do not create and link private DNS zones for top-level Azure domain names. You must create DNS zone for a subdomain as specific as possible. For example, having a private DNS zone for `privatelink.vaultcore.azure.net` for a key vault’s private endpoint works in all cases than having a zone for `vaultcore.azure.net` or `azure.net`.
60
+
* For communication with backend servers or any service using a Private Endpoint, ensure the private link DNS zone is linked to your application gateway’s virtual network.
0 commit comments