Private DNS / Link - certificate issue

a8ree1 21 Reputation points
2021-09-23T13:41:19.457+00:00

We have an issue with the use of Private DNS and I'm wondering if someone has encountered the same issue and whether there is a solution out there.

Scenario:

We are operating a three environment model in Azure whilst we operate from a single on-premise environment. We will be utilising services in Azure deployed with Private Link, where the only access is over the internal network. We need to be able to resolve names from the on-premise network for each of the three environments

Here is the solution that I designed
134530-screenshot-2021-09-23-at-143744.png

Unfortunately, this has an issue in that by deploying custom Private DNS names - and not the out-of-the-box zone, the certificate validation fails when connecting to resources.

Can anyone suggest how this should be done?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
634 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
491 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,401 Reputation points Microsoft Employee
    2021-09-24T16:30:03.277+00:00

    Hello @a8ree1 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Conditional forwarding isn't currently natively supported for Azure Private DNS.
    References: https://learn.microsoft.com/en-us/azure/dns/private-dns-overview#other-considerations
    This is a feature request by many customers and the backend team is working on it.

    Azure Private DNS manages and resolves domain names in the virtual network and provides hostname resolution between virtual networks using virtual network peering.
    To enable resolution between Azure and on-premises networks, see Name resolution for VMs and role instances.

    If you need resolution of Azure hostnames from on-premises computers, you need to forward queries to a customer-managed DNS proxy server in the corresponding virtual network, the proxy server forwards queries to Azure for resolution.

    If you need resolution of Azure Private Endpoints from your on-premises, you can use your DNS forwarder to override the DNS resolution for a private link resource.
    Reference : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments