快速入門：使用 Bicep 建立 Azure DNS 私人解析器

2024-06-03

本快速入門說明如何使用 Bicep 來建立 Azure DNS 私人解析器。

Bicep 是使用宣告式語法來部署 Azure 資源的特定領域語言 (DSL)。其提供簡潔的語法、可靠的類型安全，並支援程式碼重複使用。 Bicep 能夠為您在 Azure 中的基礎結構即程式碼解決方案，提供最佳的製作體驗。

下圖摘要說明使用的一般設定。範本中使用的子網位址範圍與圖中所示的子網位址範圍稍有不同。

必要條件

如果您沒有 Azure 訂用帳戶，請在開始前建立免費帳戶。

檢閱 Bicep 檔案

此快速入門中使用的 Bicep 檔案是來自 Azure 快速入門範本。

此 Bicep 檔案已設定為建立下列項目：

虛擬網路
DNS 解析程式
輸入和輸出端點
轉送規則和規則集。

@description('name of the new virtual network where DNS resolver will be created')
param resolverVNETName string = 'dnsresolverVNET'

@description('the IP address space for the resolver virtual network')
param resolverVNETAddressSpace string = '10.7.0.0/24'

@description('name of the dns private resolver')
param dnsResolverName string = 'dnsResolver'

@description('the location for resolver VNET and dns private resolver - Azure DNS Private Resolver available in specific region, refer the documenation to select the supported region for this deployment. For more information https://docs.microsoft.com/azure/dns/dns-private-resolver-overview#regional-availability')
@allowed([
  'australiaeast'
  'uksouth'
  'northeurope'
  'southcentralus'
  'westus3'
  'eastus'
  'northcentralus'
  'westcentralus'
  'eastus2'
  'westeurope'
  'centralus'
  'canadacentral'
  'brazilsouth'
  'francecentral'
  'swedencentral'
  'switzerlandnorth'
  'eastasia'
  'southeastasia'
  'japaneast'
  'koreacentral'
  'southafricanorth'
  'centralindia'
  'westus'
  'canadaeast'
  'qatarcentral'
  'uaenorth'
  'australiasoutheast'
  'polandcentral'
])
param location string

@description('name of the subnet that will be used for private resolver inbound endpoint')
param inboundSubnet string = 'snet-inbound'

@description('the inbound endpoint subnet address space')
param inboundAddressPrefix string = '10.7.0.0/28'

@description('name of the subnet that will be used for private resolver outbound endpoint')
param outboundSubnet string = 'snet-outbound'

@description('the outbound endpoint subnet address space')
param outboundAddressPrefix string = '10.7.0.16/28'

@description('name of the vnet link that links outbound endpoint with forwarding rule set')
param resolvervnetlink string = 'vnetlink'

@description('name of the forwarding ruleset')
param forwardingRulesetName string = 'forwardingRule'

@description('name of the forwarding rule name')
param forwardingRuleName string = 'contosocom'

@description('the target domain name for the forwarding ruleset')
param DomainName string = 'contoso.com.'

@description('the list of target DNS servers ip address and the port number for conditional forwarding')
param targetDNS array = [
  {
    ipAddress: '10.0.0.4'
    port: 53
  }
  {
    ipAddress: '10.0.0.5'
    port: 53
  }
]

resource resolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
  name: dnsResolverName
  location: location
  properties: {
    virtualNetwork: {
      id: resolverVnet.id
    }
  }
}

resource inEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
  parent: resolver
  name: inboundSubnet
  location: location
  properties: {
    ipConfigurations: [
      {
        privateIpAllocationMethod: 'Dynamic'
        subnet: {
          id: '${resolverVnet.id}/subnets/${inboundSubnet}'
        }
      }
    ]
  }
}

resource outEndpoint 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = {
  parent: resolver
  name: outboundSubnet
  location: location
  properties: {
    subnet: {
      id: '${resolverVnet.id}/subnets/${outboundSubnet}'
    }
  }
}

resource fwruleSet 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = {
  name: forwardingRulesetName
  location: location
  properties: {
    dnsResolverOutboundEndpoints: [
      {
        id: outEndpoint.id
      }
    ]
  }
}

resource resolverLink 'Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks@2022-07-01' = {
  parent: fwruleSet
  name: resolvervnetlink
  properties: {
    virtualNetwork: {
      id: resolverVnet.id
    }
  }
}

resource fwRules 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = {
  parent: fwruleSet
  name: forwardingRuleName
  properties: {
    domainName: DomainName
    targetDnsServers: targetDNS
  }
}

resource resolverVnet 'Microsoft.Network/virtualNetworks@2022-01-01' = {
  name: resolverVNETName
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        resolverVNETAddressSpace
      ]
    }
    enableDdosProtection: false
    enableVmProtection: false
    subnets: [
      {
        name: inboundSubnet
        properties: {
          addressPrefix: inboundAddressPrefix
          delegations: [
            {
              name: 'Microsoft.Network.dnsResolvers'
              properties: {
                serviceName: 'Microsoft.Network/dnsResolvers'
              }
            }
          ]
        }
      }
      {
        name: outboundSubnet
        properties: {
          addressPrefix: outboundAddressPrefix
          delegations: [
            {
              name: 'Microsoft.Network.dnsResolvers'
              properties: {
                serviceName: 'Microsoft.Network/dnsResolvers'
              }
            }
          ]
        }
      }
    ]
  }
}

此樣本中定義了七個資源：

部署 Bicep 檔案

將 Bicep 檔案以 main.bicep 儲存至本機電腦。
使用 Azure CLI 或 Azure PowerShell 部署 Bicep 檔案

CLI
PowerShell

az group create --name exampleRG --location eastus
az deployment group create --resource-group exampleRG --template-file main.bicep

New-AzResourceGroup -Name exampleRG -Location eastus
New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

當部署完成時，您應該會看到指出部署成功的訊息。

驗證部署

使用 Azure 入口網站、Azure CLI 或 Azure PowerShell 來列出資源群組中已部署的資源。

CLI
PowerShell

#Show the DNS resolver
az dns-resolver show --name "sampleDnsResolver" --resource-group "sampleResourceGroup"

#List the inbound endpoint
az dns-resolver inbound-endpoint list --dns-resolver-name "sampleDnsResolver" --resource-group "sampleResourceGroup"

#List the outbound endpoint
az dns-resolver outbound-endpoint list --dns-resolver-name "sampleDnsResolver" --resource-group "sampleResourceGroup"

#Show the DNS resolver
Get-AzDnsResolver -Name "sampleDNSResolver" -ResourceGroupName "sampleResourceGroup"

#List the inbound endpoint list
Get-AzDnsResolverInboundEndpoint -DnsResolverName "sampleDnsResolver" -ResourceGroupName "sampleResourceGroup"

#List the outbound endpoint
Get-AzDnsResolverOutboundEndpoint -DnsResolverName "sampleDnsResolver" -ResourceGroupName "sampleResourceGroup"

清除資源

不再需要時，請使用 Azure 入口網站、Azure CLI 或 Azure PowerShell 以下列順序刪除資源。

#Delete the inbound endpoint
az dns-resolver inbound-endpoint delete --dns-resolver-name "sampleDnsResolver" --name "sampleInboundEndpoint" --resource-group "exampleRG"

#Delete the virtual network link
az dns-resolver vnet-link delete --ruleset-name "sampleDnsForwardingRuleset" --resource- group "exampleRG" --name "sampleVirtualNetworkLink"

#Delete DNS forwarding ruleset
az dns-resolver forwarding-ruleset delete --name "samplednsForwardingRulesetName" --resource-group "exampleRG"

#Delete the outbound endpoint
az dns-resolver outbound-endpoint delete --dns-resolver-name "sampleDnsResolver" --name "sampleOutboundEndpoint" --resource-group "exampleRG"

#Delete the DNS resolver
az dns-resolver delete --name "sampleDnsResolver" --resource-group "exampleRG"

#Delete the inbound endpoint
Remove-AzDnsResolverInboundEndpoint -Name myinboundendpoint -DnsResolverName mydnsresolver -ResourceGroupName myresourcegroup

#Delete the virtual network link
Remove-AzDnsForwardingRulesetVirtualNetworkLink -DnsForwardingRulesetName $dnsForwardingRuleset.Name -Name vnetlink -ResourceGroupName myresourcegroup

#Delete the DNS forwarding ruleset
Remove-AzDnsForwardingRuleset -Name $dnsForwardingRuleset.Name -ResourceGroupName myresourcegroup

#Delete the outbound endpoint
Remove-AzDnsResolverOutboundEndpoint -DnsResolverName mydnsresolver -ResourceGroupName myresourcegroup -Name myoutboundendpoint

#Delete the DNS resolver
Remove-AzDnsResolver -Name mydnsresolver -ResourceGroupName myresourcegroup

下一步

在此快速入門中，您建立了一個虛擬網路與 DNS 私人解析器。現在設定 Azure 和內部部署網域的名稱解析。

解析 Azure 和內部部署網域