Hello @anil kumar
Thank you for your great question!
I can not deny that this brought my attention and for that reason, I would like to help to get your concerns going to the right track so, let me address them below:
- If we create private end point for web app hosted in Azure app service with custom domain, URL won't change and we will get a IP to connect to web app?
Answer: By default, when you enable Private Endpoints to your Web App, you disable all public access.
• You can enable multiple Private Endpoints in others virtual networks and Subnets, including virtual network in other regions.
• The access restrictions configuration of a Web App isn't evaluated for traffic through the Private Endpoint.
• You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App. - By default, Azure creates separate private DNS zone for implementing private end point for each service type and each region - How does it work in case of custom domain ? As custom domain uses Azure DNS zone, will private DNS zone will also be created in DNS zone or it will exist separately ?
Answer:
By default, without Private Endpoint, the public name of your web app is a canonical name to the cluster. For example, the name resolution will be:
Name Type Value
mywebapp.azurewebsites.net CNAME clustername.azurewebsites.windows.net
clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net
cloudservicename.cloudapp.net A 40.122.110.154
When you deploy a Private Endpoint, we update the DNS entry to point to the canonical name mywebapp.privatelink.azurewebsites.net. For example, the name resolution will be:
Name Type Value Remark
mywebapp.azurewebsites.net CNAME mywebapp.privatelink.azurewebsites.net
mywebapp.privatelink.azurewebsites.net CNAME clustername.azurewebsites.windows.net
clustername.azurewebsites.windows.net CNAME cloudservicename.cloudapp.net
cloudservicename.cloudapp.net A 40.122.110.154 <--This public IP isn't your Private Endpoint, you'll receive a 403 error
You must setup a private DNS server or an Azure DNS private zone, for tests you can modify the host entry of your test machine. The DNS zone that you need to create is: privatelink.azurewebsites.net. Register the record for your Web App with a A record and the Private Endpoint IP. For example, the name resolution will be:
Name Type Value Remark
mywebapp.azurewebsites.net CNAME mywebapp.privatelink.azurewebsites.net <--Azure creates this entry in Azure Public DNS to point the app service to the privatelink and this is managed by us
mywebapp.privatelink.azurewebsites.net A 10.10.10.8 <--You manage this entry in your DNS system to point to your Private Endpoint IP address
After this DNS configuration you can reach your Web App privately with the default name mywebappname.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.
If you need to use a custom DNS name, you must add the custom name in your Web App. The custom name must be validated like any custom name, using public DNS resolution. For more information, see custom DNS validation. - If we have three private DNS zones for services with custom domain and in two Azure regions, will all three private DNS zones use Azure DNS zone internally?
See answer for question #2 - Do we need to add any DNS records manually in DNS zone ?
Answer: yes - Does App Containerization tool support custom domain?
Answer: https://azure.microsoft.com/en-us/updates/generally-available-azure-container-apps-support-for-custom-domains-and-tls-certificates/
I hope you can find this useful to overcome your concern : )
Looking forward to your feedback,
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.