DNS Hostname Resolution from App Service Plan using VNet Integration

Question

DNS Hostname Resolution from App Service Plan using VNet Integration

App Service Plan - DNS Host Name Resolution Issue 0

I have question regarding how to setup DNS hostname resolution using VNet Integration.

I have an App Service Plan web site. I have VNet Integration enabled into my VNet. My VNet has its own DNS Server and it is configured to use it. I tried to use a Private DNS Zone as well. Neither of these solutions are providing the means for my web app to connect to my API hosted on a VM in my VNet. The browser can't resolve the hostname of the API. The error message is ERR_NAME_NOT_RESOLVED.

Apart from enabling VNet Integration and having a dedicated a DNS Server. What other configuration is necessary to have DNS working through VNet Integration?

Patchfox 4,096 Reputation points

2023-02-23T20:56:14.5233333+00:00

Could you give me more details on what means by "the browser can't resolve the hostname of the API?

At the moment I understand your infrastructure as follows:

Browser --> WebApp (AppService) --> VNet Injection -- > API App (VM)
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-24T14:49:42.02+00:00

Thank you for you feedback. I have setup the DNS Forwarder to be 168.63.129.16. I ran the Network trouble shooter from the VNet Integration screen. The DNS is working correctly. I also ran the nameresolver command from the App Service Plan console for the hostname. The correct IP address is shown. But still the browser cannot resolve the domain name into the IP address. The error message is ERR_NAME_NOT_RESOLVED. The browser is Chrome. The VM is hosting the API. The hostname is shown correctly in error response in the browser for the https endpoint the nslookup should resolve.

The infrastructure is: Browser --> App Service Plan (Deployment Slot) --> VNet Integration (to subnet) -- > API App (VM) in the same VNet.

Further feedback is welcome. Many Thanks.
Patchfox 4,096 Reputation points

2023-02-24T15:56:57.36+00:00

Thanks for the more detailed info about your infrastructure. Is it possible to tell us the domain you try to reach from the browser?
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-24T16:07:19.0833333+00:00

The domain is called api.privatelink.timelinetest.com. This was setup initially using a Private DNS Zone and then I created the DNS Server VM for the same domain in the same VNet. Testing both using the Network Trouble Shooter resolved the correct IP address. But still the App Service Plan will not resolve the hostname for the API VM I have running in the same VNet. Are there permissions that require setting for the App Service Plan to operate using VNet Integration?
ajkuma 28,116 Reputation points Microsoft Employee

2023-02-27T19:58:24.6+00:00

Apologies for the delay from over the weekend. I'm taking a look into this and will get back shortly.
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-27T22:17:16.64+00:00

Your help is much appreciated thank you.

From the console I ran the command tcpping api.privatelink.timelinetest.com:8080 and got successful responses on the api port. It looks like the dns is working. But for some reason the browser is still reporting the same error as I mentioned above. This is with using the private dns zone I created. The default dns server is 168.63.129.16, which is Azure's dns server. I don't know what else to try to resolve this issue.
ajkuma 28,116 Reputation points Microsoft Employee

2023-02-28T18:01:15.6766667+00:00

Much appreciate your feedback. Glad things are moving in the right direction.
As I understand you have mentioned DNS is working fine and got successful responses on the API port.
I have added additional pointers below and converted my comments as answer.

If the answer helped (pointed you in the right direction) > please click Accept Answer

2 answers

Your answer

Patchfox 4,096 Reputation points

2023-02-23T20:56:14.5233333+00:00

Could you give me more details on what means by "the browser can't resolve the hostname of the API?

At the moment I understand your infrastructure as follows:

Browser --> WebApp (AppService) --> VNet Injection -- > API App (VM)
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-24T14:49:42.02+00:00

Thank you for you feedback. I have setup the DNS Forwarder to be 168.63.129.16. I ran the Network trouble shooter from the VNet Integration screen. The DNS is working correctly. I also ran the nameresolver command from the App Service Plan console for the hostname. The correct IP address is shown. But still the browser cannot resolve the domain name into the IP address. The error message is ERR_NAME_NOT_RESOLVED. The browser is Chrome. The VM is hosting the API. The hostname is shown correctly in error response in the browser for the https endpoint the nslookup should resolve.

The infrastructure is: Browser --> App Service Plan (Deployment Slot) --> VNet Integration (to subnet) -- > API App (VM) in the same VNet.

Further feedback is welcome. Many Thanks.
Patchfox 4,096 Reputation points

2023-02-24T15:56:57.36+00:00

Thanks for the more detailed info about your infrastructure. Is it possible to tell us the domain you try to reach from the browser?
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-24T16:07:19.0833333+00:00

The domain is called api.privatelink.timelinetest.com. This was setup initially using a Private DNS Zone and then I created the DNS Server VM for the same domain in the same VNet. Testing both using the Network Trouble Shooter resolved the correct IP address. But still the App Service Plan will not resolve the hostname for the API VM I have running in the same VNet. Are there permissions that require setting for the App Service Plan to operate using VNet Integration?
ajkuma 28,116 Reputation points Microsoft Employee

2023-02-27T19:58:24.6+00:00

Apologies for the delay from over the weekend. I'm taking a look into this and will get back shortly.
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-02-27T22:17:16.64+00:00

Your help is much appreciated thank you.

From the console I ran the command tcpping api.privatelink.timelinetest.com:8080 and got successful responses on the api port. It looks like the dns is working. But for some reason the browser is still reporting the same error as I mentioned above. This is with using the private dns zone I created. The default dns server is 168.63.129.16, which is Azure's dns server. I don't know what else to try to resolve this issue.
ajkuma 28,116 Reputation points Microsoft Employee

2023-02-28T18:01:15.6766667+00:00

Much appreciate your feedback. Glad things are moving in the right direction.
As I understand you have mentioned DNS is working fine and got successful responses on the API port.
I have added additional pointers below and converted my comments as answer.

If the answer helped (pointed you in the right direction) > please click Accept Answer

Answer 1

@App Service Plan - DNS Host Name Resolution Issue ,

Thanks for the follow-up and update. As I understand you have mentioned DNS is working fine and got successful responses on the API port.

Just to clarify, you mention “the app service plan will not resolve the hostname for the API VM”. Then “the browser cannot resolve the domain name into the IP address”. Are both the browser and API not resolving IPs for the respective domain name?

You may try these to validate/dig into this more:

DNS – What is the hostname or custom domain you are trying to access? If you are simply using an IP you can skip this step. First validate is the correct hostname resolving to the expected IP.

Under Kudu Console -> Debugging Console -> CMD use the command nameresolver to validate that the hostname is returning the correct IP against the expected DNS server. If it’s not try using nameresolver domain IPofDNSServer as described earlier in case for some reason the app is not targeting the expected DNS server.

Lastly if it’s still failing, make sure any other domain that should be working is resolving. If this is failing: – Confirm what DNS server the app is using, if you aren’t sure use the nameresolver domain IPofDNSServer
– Try step #2 below and tcpping IPofDNSServer:53 to validate the app has connectivity to the DNS server.
– If that is failing try targeting another well known DNS server to see if something like www.microsoft.com is resolving.
– If this is failing check the network path and the DNS servers. If you have a secondary try that DNS server as well.

2.Nameresolver.exe : This command is similar to nslookup where it will do a DNS lookup against the DNS server that is configured for the web app. By default, a standard app service will use Azure DNS. If the App Service is configured with VNET integration ( includes both ASE types ), it will use your custom DNS servers configured for the VNET.

To specify a different DNS server to complete the lookup on, add the IP address of the server after the hostname separated by a space, ie “hostname <DNS Server IP>”.

Please check out the detailed suggestions outlined by one of my colleague, in his personal blog: https://blog.brooksjc.com/2021/09/17/app-service-network-debugging/

Answer 2

ajkuma 28,116 Microsoft Employee

Thanks for posting a good question.

Based on the issue description, I understand you’re wanting to perform name resolution from your web app built by using App Service, linked to a virtual network, to VMs in the same virtual network. If you haven’t done, the custom DNS server that you have setup, please ensure that you have a DNS forwarder that forwards queries to Azure (virtual IP 168.63.129.16).

Also, you need to enable virtual network integration for your web app and select Sync Network under Networking, Virtual Network Integration in the Azure portal for the App Service plan hosting the web app.

To isolate the issue, you may perform the connectivity test:
1.Test access via tcpping | for validate connection configuration
2.Network Troubleshooter from the Diagnose & Solve Problems blade

You may leverage App Service diagnostics from Azure Portal> Navigate to your App Service app in the Azure Portal. (Screenshot below)
In the left navigation, click on Diagnose and solve problems and search for “Network Troubleshooter”

Please check the doc to understand on how -Name resolution that uses your own DNS server - the flow. Checkout this article for more info: Troubleshoot virtual network integration with Azure App Service

User's image

App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-03-01T12:30:05.8266667+00:00

I have setup a custom DNS Server (10.1.0.4) with DNS forwarding enabled pointing at 168.63.129.16 (Azure DNS). I made sure I can ping endpoints between my VMs in my VNet. All is good on the VNet. My VMs can resolve hostnames using my DNS Server. Of course I set the VNet to use my DNS Server beforehand. Using Kudu I used commands nslookup and tcpping to my api on port 8080 (see image attached). But still the browser cannot resolve the same hostname. The nameresolver command works correctly as well. I tested again using the Network Trouble Shooter. No issues found.

Does the app service plan require specific roles or permissions? I use a standard plan. I did try upgrading to premium, but same problem.

Again thank you for your help and feedback on this. Much appreciated.
ajkuma 28,116 Reputation points Microsoft Employee

2023-03-01T18:26:41.7233333+00:00

Thanks for the follow-up and additional info.

Could you please share a screenshot of what doesn't work as expected? "But still the browser cannot resolve the same hostname."

(please do not share any PII data on the public forum, you may conceal/obfuscate info on screenshot)
App Service Plan - DNS Host Name Resolution Issue 0 Reputation points

2023-03-02T08:47:13.2033333+00:00

The browser is reporting the following the following error: The error message is ERR_NAME_NOT_RESOLVED. I use the browser dev tools to look at the request. There is no more information.

Using Kudu the dns appears to be working I have shown in the screen shot above. So therefore is the error message misleading? I am trying to connect over SSL. The VM hosting the API is using a self signed certificate. Could the actual problem be there? But then I would expect a different error indicating a certificate problem.
ajkuma 28,116 Reputation points Microsoft Employee

2023-03-02T14:32:16.2766667+00:00

Thanks for the follow-up and additional info.

From the scenario description and I understand all the config is setup correctly. Just to clarify, are you searching/trying to reach the URL api.privatelink.timelinetest.com via browser or something else?

Share via

DNS Hostname Resolution from App Service Plan using VNet Integration

2 answers

Your answer