Bicep : how to setup DNSzone/record for private endpoint

Question

Bicep : how to setup DNSzone/record for private endpoint

David Vanden Bussche 30

for an azure appservice I created a private endpoint through bicep.

Now I want to setup a private DNSzone record for this endpoint in bicep.

what is the correct way to do this :

resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = {
  location: resourceGroup().location
  name: '${peName}/default'
  properties: {
    privateDnsZoneConfigs: [
      {
        name: '${peName}-dns'
        properties: {
          privateDnsZoneId: privateDnsZones_privatelink.id
        }
      }
    ]
  }
}

or

resource privateDnsZones_privatelink_apps 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
  parent: privateDnsZones_privatelink
  name: toLower(recordname)
  properties: {
    ttl: 3600
    aRecords: [
      {
        ipv4Address: '10.x.x.x'
        
      }
    ]
  }
}

Accepted answer

0 additional answers

Your answer

Answer 1

Luis Arias 8,621 Volunteer Moderator

Hello David Vanden Bussche,

You will need to use the Microsoft.Network/privateDnsZones resource and include inside it the virtual network link to your vnet that will resolve the name.

Take on consideration the private dns zone name from the list of documentation:

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

Example: privatelink.azurewebsites.net

 resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
 //Include the dns zone name
   name: privateDnsZoneName
   location: 'global'
 	// You require this section to link the Private Dns Zone to vnet
   resource privateDnsZoneVirtualNetworkLink 'virtualNetworkLinks@2020-06-01' = {
     name: vnetLinkName
     location: 'global'
     properties: {
		// This is a bool value
       registrationEnabled: autoregistrationEnabled
       virtualNetwork: {
		// Use the your vnet Id
         id: virtualNetworkId
       }
     }
   }
 }

// Create PrivateEndpointDnsZoneGroup service 
 resource privateEndpointDsnZoneGroupResource 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = {
   name: '<YOUR PRIVATE ENDPOINT NAME>/default'
   properties: {
     privateDnsZoneConfigs: [
       {
         name: privateDnsZoneName
         properties: {
           privateDnsZoneId: privateDnsZone.Id
         }
       }
     ]
   }
   dependsOn: [
     <Your private Endpoint resource or module>
   ]
 }

Here additional documentation:

https://learn.microsoft.com/en-us/azure/templates/microsoft.network/privatednszones?pivots=deployment-language-bicep https://learn.microsoft.com/en-us/azure/templates/microsoft.network/privatednszones/virtualnetworklinks?pivots=deployment-language-bicep

Note: Your private endpoint bicep code need to consider the privateLinkServiceId

Let me know if you need additional help.

Luis.

David Vanden Bussche 30 Reputation points

2023-12-07T07:14:10.62+00:00
Hi Luis,

thanks for your answer !

since the private dnszone already exists i only need this part :

resource privateEndpointDsnZoneGroupResource 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01'

and in the private endpoint config I already set the privateLinkServiceId :

resource privateEndpoint 'Microsoft.Network/privateEndpoints@2022-07-01' = { name: privep location: resourceGroup().location tags: tags properties: { subnet: { id: <target-subnet> } privateLinkServiceConnections: [ { name: <private-endpont-name> properties: { privateLinkServiceId: webApplication.id groupIds: ['sites'] } } ] } }

2 more questions :

resource privateEndpointDsnZoneGroupResource 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = { name: '<YOUR PRIVATE ENDPOINT NAME>/default'

that /default :

what does this mean ? in the azure portal in the private dnszone section , i don' see how this is represented.

and last question:

in the private dnszone for 'privatelink.azurewebsites.net' we already have records that were added manually via the portal;

When running this new bicep code to add this new private-endpoint dns, those already existing records will stay untouched ?
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-12-07T10:22:12.4433333+00:00
Hi David Vanden Bussche,

That's good, you already have more of the work done, responding your questions;

That /default you can change for any name it's only to have the reference in the private endpoint to the private DNS zone, you can see the configuration on portal if you go to your Private Endpoint > DNS Configuration > Customer Visible FQDNS:

In your case the integrity of you deployment is deending in what is bicep deployment mode used (Complete / Incremental) I recommend you use Incremental to don't delete any existing resource.

More detail: https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-modes

Additionaly if you private DNS zone is already on portal and it doesn't created by your code, Use resource exiting to don't try to create the private dns zone again.

More detail: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/existing-resource

I hope this help you let me know anything else.
David Vanden Bussche 30 Reputation points

2023-12-07T15:04:33.3666667+00:00

the bicep incremental mode is default, so that's already ok :)

regarding the /default u mentioned in your screenshot.

In my setup , this is empty for the private endpoint config. however I do have a record in the private dnszone.

so , what's the link between the private dnszone content and this setting in red below ?

When i execute my bicep script as described above, it will probably add this setting and a new record in the private dns zone ?
Luis Arias 8,621 Reputation points Volunteer Moderator

2023-12-07T15:32:27.58+00:00
Yes , if your setup is the right one Your private endpoint will show a configuration name. Be carefull to don't create the DNS record in the private dns zone manually this will be created by the privateEndpoints/privateDnsZoneGroups.

As an example you can also add the dns-zone-group by Azure CLI:

# Example: this is the same operation that bicep do 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups' az network private-endpoint dns-zone-group create
David Vanden Bussche 30 Reputation points

2023-12-12T10:18:31.3866667+00:00
still some issues with the deployment :(

my webapp private endpoint is in subscription subA in resourcegroup RG-apps

my private dnszone is in subscription subB in resourcegroup RG-network

now i get the error when running the bicep to setup the dnszone-record for this privateEndpoint, that the PE in resourcegroup RG-network could not be found.

Which is correct, since the PE is created in RG-apps and not in RG-network.

my bicep runs from RG-apps, and PE is created in that RG.

to setup the dnsrecord I call a module with scope-change :

module dnszone 'dnszones.bicep' = { scope: resourceGroup(subB,rg-network) name: '${name}-dnszone' params: { peName: toLower(privep) } }

peName parameter contains the name of my webapp private endpoint

that module runs this code :

resource privateDnsZones_privatelink 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { name: 'privatelink.azurewebsites.net' } resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = { location: resourceGroup().location name: '${peName}/default' properties: { privateDnsZoneConfigs: [ { name: peName properties: { privateDnsZoneId: privateDnsZones_privatelink.id } } ] } }

if I understand correctly: that 'name: peName' parameter links the private endpoint to the dnszone-record ?

How can make it possible to create the record when PE and dns are in different subscriptions/recordgroups ?

Share via

Bicep : how to setup DNSzone/record for private endpoint

0 additional answers

Your answer