Hello @prasantc ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a setup of multi-continental region deployment where two virtual WAN with secured hubs are in two regions (each subcontinent) connecting to another single virtual WAN with secured virtual hub. Internal traffic is secured by Firewall and Internet traffic secured by NVA. You also have an Azure DNS Private Resolver setup to query Azure DNS private zones from an on-premises environment and vice versa. The Firewall DNS proxy was configured with the private resolver inbound endpoint IP but were facing DNS resolution issues. So, one of your users tried to remove DNS inbound resolver in Firewall DNS proxy and added the new local DNS server hosted in Azure and it resolved most of the DNS issue but failed to resolve private endpoint from on-premises to ASE app services.
You would like to know - does Azure Firewall DNS proxy feature NOT work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration, if you use custom DNS or private inbound IP in the DNS proxy.
Could you please confirm if my understanding is correct?
Assuming I understood your issue correctly, sharing a few pointers below:
- If you use custom DNS in the DNS proxy, Azure Firewall DNS proxy feature should work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration.
Azure Firewall Manager can provide security management for two network architecture types:
- secured virtual hub.
- hub virtual network.
Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/vhubs-and-vnets
https://learn.microsoft.com/en-us/azure/firewall-manager/private-link-inspection-secure-virtual-hub
DNS proxy configuration requires three steps:
- Enable the DNS proxy in Azure Firewall DNS settings.
- Optionally, configure your custom DNS server or use the provided default.
- Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings. This setting ensures DNS traffic is directed to Azure Firewall.
Refer: https://learn.microsoft.com/en-us/azure/firewall/dns-settings#dns-proxy-configuration
Could you please make sure that the above steps are completed correctly?
- If you use private inbound IP in the DNS proxy, Azure Firewall DNS proxy feature may not work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration.
I checked with the Azure Firewall Product Group team and below is their response:
The integration with Azure Private DNS resolver was not verified with Azure Firewall. We can help with collecting packet captures on customer's Azure Firewall and validate it further, if needed.
So, if you need help with the configuration of using private inbound IP in the DNS proxy, then we would need to open a support request, so that the support team can engage the backend team for packet captures and log collection. Hence, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.