Hi, I am looking for advice and best practice for Azure Deployment. We have been instructed by the BAU support team that we need to Domain join the two VMs we have deployed. These will need to be Domain Joined to a AD DS solution I have deployed. I currently have a hub spoke environment and the AD DS platform is deployed to the hub. The concern I have is the approach we are taking correct and will processing be impacted. The scenario is as follows: I have a VNet in the spoke that contains two VMs and also a number of subnets where I have VNet Integrated a number of Functions. The Functions communicate with Event Grids, Storage Accounts, Event Hubs and Databases via Service Endpoints. To Domain Join the VMs I need to change the VNet deployment to point the Custom DNS Domain to the Domain Controllers of the AD DS service. I am assuming this will also impact the Function Apps when resolving the endpoint for the PaaS resource covered in 2 above. Do they need to resolve and does this use Azure DNS? The AD DS is used to harden the servers by GPO policies. Is this best practice for Azure VMs? Does this setup cause a problem and will this impact the Functions Apps deployed to the network? Will I get latency issues? Thanks

Hey there GRAY Mike Ill try to address your concerns, First off, if you're domain-joining your VMs in the Azure VNet to an AD DS solution, it's mostly going to impact those VMs themselves, not your Function Apps. Changing your VNet's custom DNS domain for the Domain Controllers won't mess up your Function Apps' works. Using AD DS to tighten the screws on VM security? i would say thats great, It's a good practice, especially if you've got specific security boxes to check. As for latency issues, Domain-joining VMs and setting up AD DS shouldn't give your Function Apps any prbs They'll keep connected with Azure services. Just make sure your VNet and subnet settings align with your needs, If this helps kindly accept the answer thanks much.

Azure Function App and VM DNS Resolution

Accepted answer

Azar 19,645 Reputation points

2024-01-19T13:22:38.64+00:00

Hey there GRAY Mike

Ill try to address your concerns, First off, if you're domain-joining your VMs in the Azure VNet to an AD DS solution, it's mostly going to impact those VMs themselves, not your Function Apps.

Changing your VNet's custom DNS domain for the Domain Controllers won't mess up your Function Apps' works.

Using AD DS to tighten the screws on VM security? i would say thats great, It's a good practice, especially if you've got specific security boxes to check.

As for latency issues, Domain-joining VMs and setting up AD DS shouldn't give your Function Apps any prbs They'll keep connected with Azure services. Just make sure your VNet and subnet settings align with your needs,

If this helps kindly accept the answer thanks much.
Please sign in to rate this answer.
GRAY Mike 161 Reputation points

2024-01-19T13:27:03.2966667+00:00

Thanks for your prompt reply! So just to confirm when the Function Apps which are Vnet Integrated - when calling Azure Resources they will not be affected by the DNS Custom Domain. How do they resolve to the calling Azure PaaS Services. Do we have any documentation related to this if possible? Thanks Mike

GRAY Mike 161 Reputation points

2024-01-19T13:49:51.66+00:00

Hi - Also what did you mean by the last comment Make Vnet and Subnet settings align with your needs? As for the VNet DNS are you stating Function that are VNet integrated will not be directed via DNS? Thanks

Azar 19,645 Reputation points

2024-01-19T14:06:06.95+00:00

Hey again , GRAY Mike

let me try to clarify, the Function Apps are VNet integrated, they communicate with Azure PaaS services using Azure DNS. The custom DNS domain you set for the VNet doesn't affect these connections. Function Apps use the Azure DNS resolution to reach out to services like Storage Accounts, Event Hubs etce.

I meant VNet DNS is used for name resolution when Function Apps access resources within the VNet. Azure DNS handles name resolution for Function Apps interacting with Azure PaaS services

For more info follow the documentation, try searching according to the need, I found this below is the link

https://learn.microsoft.com/en-us/search/?terms=azure%20dns

Dont forget to upvote and mark answer as accepted if it helped you thanks again.

Luis Arias 5,131 Reputation points

2024-01-19T14:07:35.6166667+00:00

Hi GRAY Mike, As mention Azar in your case your DNS configuration won't impact the access to the PaaS Services with service endpoint enable on vnet. Services endpoint in practical side are routes in vnet that after resolve the name to the public IP (It doesn't matter who will resolve the names here) will route the traffic to azure service on a specific way trought azure backbone, you can verify this on any VM. (If you have private endpoint this is different behaviour )

Viewing the effective routes on any network interface in a subnet. The route to the service:- Shows a more specific default route to address prefix ranges of each service- Has a nextHopType of VirtualNetworkServiceEndpointhttps://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Luis

GRAY Mike 161 Reputation points

2024-01-19T17:08:06.99+00:00

Thank you both that really helps clarify the situation. Just one further point to make. Some of the Functions are calling / being called by Event Grids which do not support Service Endpoints. I assume these PaaS services would use Azure DNS but the called would be from the Function to the Internet? We did look at Private Endpoints but the push from Event Grids to Functions are not supported by Private Endpoints. Does this mean to be secure I need to send internet traffic from the VNet integrated Function via the Azure Firewall. Thanks Mike

Azar 19,645 Reputation points

2024-01-20T14:17:45.4033333+00:00

Hey again,

you're right. whilee dealing with Event Grids that don't support Service Endpoints, your VNet-integrated Functions would need to route their traffic to the internet to communicate with these services. This traffic would typically go through the Azure Firewall or other outbound internet connectivity configured in your environment. i recomedns using AZ firewall

If you're aiming for a more secure setup, sending the internet-bound traffic through the Azure Firewall is a good practice. Dont forget to upvote and mark answer as accepted if it helped you thanks again.
Sign in to comment

Share via

Azure Function App and VM DNS Resolution

0 additional answers