Ingress configuration - dns

Please refer to the corresponding section of the following URL. "Configure a DNS name"
https://learn.microsoft.com/en-us/azure/aks/ingress-tls
Only the server name is specified for the creation of the DNS name.
However, in "Create a certificate object", it is demo-aks-ingress.eastus.cloudapp.azure.com and it is "eastus". Should this be replaced with "eastjp"? I replaced it, but "Test the ingress configuration" does not work.
If my AKS Cluster is running on eastjp server, the name should be "xxxxxx.eastjs.cloudapp.azure.com"?

In the document, you create the custom certificate with the DNS name of a public IP for the Ingress. You just can set the prefix of the DNS name, and the remaining part of the DNS name is a Fixed combination in Azure, and the whole name will be as domainnamelabel.location.cloudapp.azure.com. See the description DNS hostname resolution of a Public IP.
So if the "eastjp" you mean a location that Azure support, it will be done. If not, it won't work. And when you create a public IP in a different region for your ingress, it will come out a timeout. Under this circumstance, the DNS name of the public IP could only have the location the same with your AKS cluster.

Related

Azure URL app service not working in vnet with private endpoint

Hi currently I have setup a VNET.
Inside this vnet I made a VM and I added an App-Service in the subnet with an private-endpoint.
The private-endpoint of the App-Service is also automatically added to a privatelink DNS zone. (Azure created this automatically for me) It also points correctly to the right internal ip address.
Now from within my VM I try to access my AppService using curl and using the created .privatelink.azurewebsites.net link to the AppService. But it keeps returning 404.
How is this possible. My knowledge of DNS is limited.
If I do a NSLOOKUP inside the VM, it nicely resolves the privatelink DNS Name and finds the private-endpoint ip address
What am I missing?
Update
When I keep using the original azurewebsites.net xxxxxxx.azurewebsites.net (not the privatelink) URL I can access the appservice from within the VNET.
If I am on the VM, and I do a lookup of the original URL I get this.
Non-authoritative answer:
xxxxxxxxx.azurewebsites.net canonical name = xxxxxxxxx.privatelink.azurewebsites.net.
Name: xxxxxxxx.privatelink.azurewebsites.net
Address: 10.1.1.4
So there is some magic behind the scenes?
When you create a public Azure App Service "xxxxxxxxx", beside provisioning the app service environment also a DNS entry for this new service will be created in one of Microsoft's authoritative DNS servers (they are usually named like ns1-xxx.azure-dns.com) ultimately pointing to the public IP address of the server where your your app service is hosted.
If you add a private endpoint for your app service, the DNS entry in these servers won't be removed. Instead what's happening is that internet access to your web app is cut off using firewall rules.
This means if you type in "xxxxxxxxxx.azurewebsites.net" in your browser outside the VNet, a DNS query is sent and the public IP address of the server is returned. Your browser sends a HTTP query to that IP address but will get a HTTP status code 403 indicating that public traffic is blocked.
Inside your VNet the situation is different. As you described you got a private DNS zone "privatelink.azurewebsites.net" which is linked to the VNet (you can see that in the "Virtual network links" section)
If you now type "xxxxxxxxxx.azurewebsites.net" in a browser in your VM which is placed in the same VNet as xxxxxxxxxx.azurewebsites.net, the DNS server associated with the network adapters (by default accessible in your VM through 168.63.129.16) will use the entries placed in the private DNS zones. If a zone named "privatelink.azurewebsites.net" exists, all queries for the domain "azurewebsites.net" will be resolved using this private DNS zone. For example, if there is an A record entry for "xxxxxxxxxx" for 172.16.0.5...
...this is exactly the IP you'll get when you resolve xxxxxxxxxx.azurewebsites.net in your Azure VM:
C:\Users\vm>nslookup xxxxxxxxxx.azurewebsites.net
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: xxxxxxxxxx.privatelink.azurewebsites.net
Address: 172.16.0.5
Aliases: xxxxxxxxxx.azurewebsites.net
If you delete your private DNS zone, the DNS server will resolve back to ns1-xxx.azure-dns.com which in turn will give you the public IP of the service:
C:\Users\vm>nslookup xxxxxxxxxx.azurewebsites.net
Server: UnKnown
Address: 168.63.129.16
Non-authoritative answer:
Name: waws-prod-am2-459-d21a.westeurope.cloudapp.azure.com
Address: 20.50.2.66
But since the app service still has firewall rules applied that block all traffic coming from outside the VNet, you will get a HTTP status code of 403 if you try to access the service over a browser.
See also: https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint#conceptual-overview

How to apply custom domain name to azure kubernetes services (AKS) cluster?

I have a AKS cluster with default FQDN name with the suffix of "cloudapp.azure.com". I want to get a domain and apply it to the cluster but am not sure how to apply custom domain to Kubernetes cluster in azure.
Can anyone help me with the steps to apply custom domain name to AKS cluster?
If I understand you correctly, you've already deployed your application on Kubernetes and want to connect it to your custom domain name.
For this purpose you can use NGINX Ingress Controller.
Below I will briefly describe how you can do it on AKS:
First you need to create an ingress controller and ingress resource. For Azure AKS detailed instructions can be found here: create-an-ingress-controller.
Note: By default, the public IP address acquired by NGINX Ingress is lost
if the controller is deleted. I recommend you to
create static public IP address, because it remains if the ingress controller is deleted.
Next identify the public IP address (EXTERNAL-IP) associated with
your NGINX Ingress service that was created in the previous step.
Now you need to create an A DNS record, to point your domain to the cluster.
Additionally you may
want to provide CNAME record, but is isn't mandatory and depends
on your needs.It is possible to create Azure DNS Zone for your
custom domain and then add appropriate record sets to this zone.
Note: Azure DNS is not the domain registrar, you have to configure the
Azure DNS name servers as the correct name servers for
the domain name with the domain name registrar. For more
information, see Delegate a domain to Azure DNS.
Azure won't provide you the DNS names, but it has a service named as DNS zone, where you can register your custom domain ( that you may have from providers like GoDaddy etc ), the externalIP of the ingress or any other load balancer that you see in the AKS clusters can be mapped to this custom domain name in the DNS zone and this will take the traffic to the respective AKS cluster.
Advantage of DNS zone is that, you can enter multiple alias URLs as well and can make them to take traffic to AKS cluster, like
abc.com is your domain ( let's say )
api.abc.com is for mobile applications to communicate with AKS and this can be pointed to same URL via CNames in DNS zone.
You can have multiple options here based on your usecase, refer Azure's documentation on DNS zones for that

How to set up endpoints within a Azure Virtual Machine

I'm trying to set up MailTrain (a newsletter application) on an Azure VM. I created a resource group with the virtual machine, a virtual network, a network interface, a network security group, a public ip adress and a private DNS zone.
MailTrain expects three URL endpoints which all point to the same IP adress. For testing purposes I would like to create internal endpoints which all point to the VM. I played around with DNS entries in the DNS zone, but it doesn't work as I expected.
The name of the private DNS zone is equal to the DNS name of the VM's public IP adress. The private DNS zone and the VM are linked with the virtual network link and auto registration is enabled. The virtual network contains a default subnet. I created an A entry for "lists" pointing to the VM's internal IP adress and a CNAME entry for "sbox" pointing to the DNS name of the public IP adress. Inbound rules for the ports 80 and 443 were added to the netwwork security group.
The console shows me the following message while running the installation script:
Domain: lists.xxx.cloudapp.azure.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
lists.xxx.cloudapp.azure.com - check that
a DNS record exists for this domain
Domain: sbox.xxx.cloudapp.azure.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
sbox.xxx.cloudapp.azure.com - check that a
DNS record exists for this domain
Domain: xxx.cloudapp.azure.com
Type: unauthorized
Detail: Invalid response from
https://xxx.cloudapp.azure.com/.well-known/acme->challenge/VIjYMd-Uic_T2lQBl4vSyy9Va46-yVxmTA8SSE3f8J8
[xxx.xxx.xxx]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>503 Service
Unavailable</title>\n</head><body>\n<h1>Service"
Followed that quick start, you just need to create three DNS records in your public domain DNS zone.
Please note that there is public DNS and private DNS in Azure. In this case, I assume you have created a private DNS zone for internal endpoints. To resolve the records of a private DNS zone from your virtual network, you must link the virtual network with the zone. Additionally, you can also enable autoregistration on a virtual network link. If you enable auto registration on a virtual network link, the DNS records for the virtual machines on that virtual network are registered in the private zone. Or, you can manually create an A record to map to your VM's private IP address in the zone and create other CNAME records to map to the other internal endpoints.
As a best practice, do not use a .local domain for your private DNS zone. Not all operating systems support this.
In addition, you need to add inbound ports 80, 443 in your network security group that associated with the Azure VM subnet or NIC.
Update
For an internal test, you can use a private DNS zone because the DNS records in a private Zone can only be resolved in a virtual network it can not be resolved over the Internet, you could select the local installation in this scenario.
For example, I create a private DNS zone named contoso.com,
After local install, you can access the website via the trusted endpoint http://localhost:3000, then you should access the other endpoints in the VNet instead of access external.
However, if you want to use it for public access, you could select to install a public website secured by SSL. In this case, you need to purchase a domain and add the related DNS records to the DNS zone in the respective DNS provider. Azure DNS zone supports host your public domain zones in Azure.

Configure custom DNS for Public IP Address

i created VM behide Azure Load Balancer. i want to use custom domain to Load Balance Public IP. for example i want to access url like 'xx.mvg.com' instead Load Balance Public IP from internet. how i can do it?
i tried to did followed reference link 'https://learn.microsoft.com/en-us/azure/dns/dns-custom-domain' but still not working.
Please recommend how to register my domain name i wish, i want map my domain name to my application running on VM behide Azure Load Balancer.
and Azure have service about internet domain registrar?
about your last question - no, Azure have only Azure DNS, which is not a domain registrar, but a DNS as a service.
Easiest way to achieve what you want - assign a dns name to a public ip (called dns label here) and create a CNAME record in your DNS for that DNS name. or just straight up create a A record in your DNS and point it to your public ip.

How to assign azure custom dns to public ip

I have resource group on azure containing virtual machine and kubernetes and load balancer and public ip address and etc.
I can access to my kubernetes app with direct public ip or public ip dns name. But problem is that i can't get azure custom dns (dns zone) working for my public ip. e.g. myapp.com
I have tried to assign public ip address in dns zone but not getting custom dns name working for my app.
2 options:
1. A record that points to public ip address explicitly
2. CNAME record that points to azure "internal" dns name
From the description it looks like you haven't updated the name server settings of your domain (e.g. myapp.com) to use Azure DNS's name servers (where you have created a zone for that domain name) for query resolutions.
The article linked below has instructions on how to do it. Please let us know if this answers your question.
https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns

Resources