Azure Arc Assistance

Question

this is for my end user and not myself

I am setting up Azure Arc with a Private Endpoint so that Arc traffic goes over the VPN to azure. I need assistance in setting up the conditional forwards in our on premises DNS as the Microsoft instructions could not possibly be any less clear. here are the steps I did use....below

We followed this article Use Azure Private Link to securely connect servers to Azure Arc - Azure Arc | Microsoft Learn. Then when you get to the section entitled DNS configuration using Azure-integrated private DNS zones it states the following: If you set up private DNS zones for Azure Arc-enabled servers and Guest Configuration when creating the private endpoint, your on-premises machines or servers need to be able to forward DNS queries to the built-in Azure DNS servers to resolve the private endpoint addresses correctly. You need a DNS forwarder in Azure (either a purpose-built VM or an Azure Firewall instance with DNS proxy enabled), after which you can configure your on-premises DNS server to forward queries to Azure to resolve private endpoint IP addresses. The private endpoint documentation provides guidance for configuring on-premises workloads using a DNS forwarder. When following the next link, about on-premises workloads using a DNS forwarder, it just gives general info. I know I need to add a conditional forwarder for the private link to work correctly, however I do not know what the zone name needs to be or what IP addresses to point the zone to.

please advise. thanks,

Header 1Header 2Cell 1Cell 2Cell 3Cell 4

Answer 1

Hello

Basically what you need is some DNS solution in Azure that your on-premise is forwarding its requests to. Have you checked out this link? It has some picture with the steps explained with both IP addresses and DNS names as examples. For instance it might use examples as having an SQL with private endpoint getting the "10.0.0.10" IP address, now that name needs to be in your Azure DNS (that on-premise forwards request for) privatelink.database.windows.net will be the Zone. Personally i have been using DNS private resolver in Azure lately and is very pleased with the result of making DNS question between Azure and on-premise.

DNS Private endpoint overview

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#on-premises-workloads-using-a-dns-forwarder

List of all Private DNS zones for Private endpoint/Link

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

How to configure DNS private resolver with private endpoint/Link

https://www.starwindsoftware.com/blog/deploy-a-hybrid-dns-infrastructure-with-dns-private-resolver

Hope this is helpful and remember shared knowledge is the best knowledge 😊

Best Regards,

Timmy Malmgren

---

If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!

Answer 2

Hello @Dr. Rashida Garner ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to use Azure Private Link to securely connect your on-premises servers to Azure Arc and would like to know how to configure the DNS resolution for this setup.

Accessing private endpoint connected resource from on-premises is possible but needs some additional DNS configurations.

For on-premises workloads to resolve the Azure hostname or FQDN of a private endpoint, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises.

But you can also use Azure Private Resolver to resolve the Azure service public DNS zone in Azure. Azure Private Resolver is an Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder.

If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances?tabs=redhat

It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

You can use the following options to configure your DNS settings for private endpoints:

• Use the host file (only recommended for testing)
• Use a private DNS zone.
• Use Azure Private Resolver or DNS forwarder (optional).

Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

As of today, Azure DNS Private Resolver is the recommended Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder. For on-premises workloads to resolve the FQDN of a private endpoint, you can use Azure Private Resolver.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#azure-private-resolver-for-on-premises-workloads

But if you would still like to go ahead with a DNS forwarder setup, you can find more details in the below docs:

DMS Forwarder VM template: https://github.com/Azure/azure-quickstart-templates/blob/master/demos/dns-forwarder/README.md

Conditional forwarder setup on the DNS forwarder in Azure:

Refer: https://github.com/adstuart/azure-privatelink-dns-microhack#task-3--add-conditional-forwarder-to-az-dns-vm-vm-in-azure

Conditional forwarder setup on your on-premises DNS server: The conditional forwarding must be made to the recommended public DNS zone forwarder of the respective resource. For example: database.windows.net instead of privatelink.database.windows.net.

Refer: https://github.com/adstuart/azure-privatelink-dns-microhack#task-3---setup-conditional-forwarder

For Azure ARC public DNS zone forwarder information, refer the below:

For more clarity on the on-premises private DNS integration, please refer the below docs:

https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#4-on-premises-dns-integration

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration#on-premises-workloads-using-a-dns-forwarder

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

per the end user he stated

This helped. Thanks. The only issue I am running into now is that the DNS Private Resolver at Azure worked initially, but now it is not.

" I have found that the VPN to azure is down unless the VM in the Resource Group is up.  Is this normal?  I have the VPN Gateway set to bring up the tunnel when initiated on either side.  Is there a setting in the Azure VPN gateway to keep up the VPN at all times?