Hi, please bear with me while I explain a quick summary of our existing setup:
We have some servers in Azure and some in our on-prem Datacenter. We have S2S VPN connection between Azure and our on-prem DC. We have 4 domain controllers, 2 on-prem and 2 in Azure and they all act as the DNS servers too. For Azure VMs, we have the domain controller (DC) in Azure as our primary DNS and on-prem as secondary, while for on-prem servers, we have on-prem DC as primary and Azure domain controller as secondary. We have some storage accounts in Azure that we have enabled private endpoints. We have also configured a recovery services vault to replicate our Azure servers from our primary region A to the secondary region B. The recovery services vault is in the region B and the public access is not allowed and we have private endpoint configured to access this RSV.
Currently, we are using the forward lookup zones in our DNS servers (all 4) and have these zones for blob.core.windows.net and privatelink.siterecovery.windowsazure.com. For storage accounts, we have manually added the name and IPs of the private endpoints to blob.core.windows.net dns forward lookup zone and for the site recovery private endpoints and their respective IPs to privatelink.siterecovery.windowsazure.com zone. This is working fine for us now except a downside. We have several applications that need to communicate outbound to some vendors specific endpoints and every time we need to enter the name and IP to these forward lookup zones manually to resolve (through private endpoints). We need to use the conditional forwarders so we wont need to enter these manually to our forward lookup zones every time we receive a request for a new IP or endpoint.
As a test, we created the conditional forwarders in our domain controller DNS servers to point to Azure DNS Wire IP (168.63.129.16) and deleted the previously created forward lookup zones (including all records) for both blob.core.windows.net and privatelink.siterecovery.windowsazure.com. This has resulted in breaking our site recovery replication as the storage account failed to resolve the DNS through private endpoints.
We are configuring something like this first time so would like to get some advice as there is something missing that we need to configure (additionally) or anything else that we are missing here. We have also some conditional forwarders setup for some of our other storage accounts with the same setup to point to Azure DNS wire IP and they are working fine. Any advice to get this around would be highly appreciated. Many thanks