Requesting help on Azure services

anil kumar 1,641 Reputation points
2022-09-14T03:29:52.667+00:00

Hello,

We have developed an cloud native application using multiple PaaS services including Azure App Service to host 1 web app, couple of Azure functions and few web APIs. We also bought an App domain from Azure and using same to personalize the URLs. Could you please help finding answers for following questions? I don't have Azure subscription at this moment so unable to do hands on.

  1. If we create private end point for web app hosted in Azure app service with custom domain, URL won't change and we will get a IP to connect to web app?
  2. By default, Azure creates separate private DNS zone for implementing private end point for each service type and each region - How does it work in case of custom domain ? As custom domain uses Azure DNS zone, will private DNS zone will also be created in DNS zone or it will exist separately ?
  3. If we have three private DNS zones for services with custom domain and in two Azure regions, will all three private DNS zones use Azure DNS zone internally?
  4. Do we need to add any DNS records manually in DNS zone ?
  5. Does App Containerization tool support custom domain?

Appreciate your insightful response.

Thank you!!

Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
469 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,919 questions
Accepted answer
  1. risolis 8,701 Reputation points
    2022-09-14T06:19:49.503+00:00

    Hello @anil kumar

    Thank you for your great question!

    I can not deny that this brought my attention and for that reason, I would like to help to get your concerns going to the right track so, let me address them below:

    1. If we create private end point for web app hosted in Azure app service with custom domain, URL won't change and we will get a IP to connect to web app?
      Answer: By default, when you enable Private Endpoints to your Web App, you disable all public access.
      • You can enable multiple Private Endpoints in others virtual networks and Subnets, including virtual network in other regions.
      • The access restrictions configuration of a Web App isn't evaluated for traffic through the Private Endpoint.
      • You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.
    2. By default, Azure creates separate private DNS zone for implementing private end point for each service type and each region - How does it work in case of custom domain ? As custom domain uses Azure DNS zone, will private DNS zone will also be created in DNS zone or it will exist separately ?
      Answer:
      By default, without Private Endpoint, the public name of your web app is a canonical name to the cluster. For example, the name resolution will be:
      Name Type Value
      mywebapp.azurewebsites.net CNAME clustername.azurewebsites.windows.net
      clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net
      cloudservicename.cloudapp.net A 40.122.110.154
      When you deploy a Private Endpoint, we update the DNS entry to point to the canonical name mywebapp.privatelink.azurewebsites.net. For example, the name resolution will be:
      Name Type Value Remark
      mywebapp.azurewebsites.net CNAME mywebapp.privatelink.azurewebsites.net
      mywebapp.privatelink.azurewebsites.net CNAME clustername.azurewebsites.windows.net
      clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net
      cloudservicename.cloudapp.net A 40.122.110.154 <--This public IP isn't your Private Endpoint, you'll receive a 403 error
      You must setup a private DNS server or an Azure DNS private zone, for tests you can modify the host entry of your test machine. The DNS zone that you need to create is: privatelink.azurewebsites.net. Register the record for your Web App with a A record and the Private Endpoint IP. For example, the name resolution will be:
      Name Type Value Remark
      mywebapp.azurewebsites.net CNAME mywebapp.privatelink.azurewebsites.net <--Azure creates this entry in Azure Public DNS to point the app service to the privatelink and this is managed by us
      mywebapp.privatelink.azurewebsites.net A 10.10.10.8 <--You manage this entry in your DNS system to point to your Private Endpoint IP address
      After this DNS configuration you can reach your Web App privately with the default name mywebappname.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.
      If you need to use a custom DNS name, you must add the custom name in your Web App. The custom name must be validated like any custom name, using public DNS resolution. For more information, see custom DNS validation.
    3. If we have three private DNS zones for services with custom domain and in two Azure regions, will all three private DNS zones use Azure DNS zone internally?
      See answer for question #2
    4. Do we need to add any DNS records manually in DNS zone ?
      Answer: yes
    5. Does App Containerization tool support custom domain?
      Answer: https://azure.microsoft.com/en-us/updates/generally-available-azure-container-apps-support-for-custom-domains-and-tls-certificates/

    I hope you can find this useful to overcome your concern : )

    Looking forward to your feedback,

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest