Azure private DNS zone resolving - azure

We have a private DNS zone setup for the zone project.local. For app service instances living in an app service environment, each service has its own record pointing to the load balancer in front of the service (so all have the same IP).
We have an App Gateway instance linked to a public IP in front to make this all publiccally available. The gateway is available via a public URL and routes the request to the load balancer.
Now what we see is the following:
From external, everything is fine. We can get to the services using the external URL, gateway forwards it and all is well.
From internal, we want to use the internal DNS address set in the private zone. This is not working, calls from service to service throw an error stating that the host URL could not be resolved.
When I log into a VM in the same vNET or use the Kudu console, I'm able to resolve the DNS address to the correct IP. What I do notice is that when using nslookup, it says it's getting a non authoritative answer.
It's very hard to get any more information for debug purposes. We're not sure why resolving isn't working as per documentation these records should work for all of the components in the same vNET. The authoritative error might be related, but again: not sure. So any ideas on what else to check would be highly appreciated.
Disclaimer: I also have a support ticket open for the same question, but wanted to put this out there to see if there's anyone else who might have encountered the same since this is pretty new tech.

Azure DNS Private Zones are able to resolve names between VMs and Cloud services. It does not look like it can be used by Azure Web Apps or Azure App Services at this time. 
You can see more information on name resolution for resources in Azure Virtual Networks Here.
If you would like to request this feature be added to DNS Private Zones, you can leave your feedback Here.

Related

External api management service can't resolve Azure function service name

Currently I am trying to use Api Management to expose an Azure Function http trigger that is within a vnet.
After setting everything up, I tried a simple GET request and I'm getting a 500 error telling me
"messages": [
"Error occured while calling backend service.",
"The remote name could not be resolved: '<function-name>.azurewebsites.net'"
]
My Azure function was:
Created with a premium plan.
enabled inbound traffic with a private endpoint.
deployed in the same Vnet as my api management service.
Added a httpTrigger template from the portal
Was set up with a Azure managed DNS name
My api management service was created in external mode and I linked my function to Api Management in the portal.
Things I've tried:
I've double checked that the correct security group rules have been opened for api management to work
I've ensured that both my api management (external) is in the same vnet as my Serverless function
I deployed a vm to the same virtual network and was unable to resolve the dns name of my function there. Used ping, telnet, nslookup.
Tried adding application settings to my function to specify the azure dns server, among other settings.
Ive check that my private dns zone is linked with my vnet.
Seems like a DNS name resolving issue, but I can't seem to fix it. Any ideas on what could be causing this error?
update
So it seems to be an issue with my private endpoint. Every function I create without one works fine, but I would still like to have the private endpoint so it isn't accessible from the internet.
I know I could probably lockdown my function to only be called from the api management gateway ip, but I would rather not have to hard code IPs if I don't have too.
Thank you MayankBargali-MSFT | Microsoft Docs Posting your suggestion as answer to help other community members.
As per the error, the APIM is not able to resolve your azure function
app. Can you please verify if the custom DNS is correctly setup and
you can refer to this
document
for more details. Outbound access on port 53 is required for
communication with DNS servers. If a custom DNS server exists on the
other end of a VPN gateway, the DNS server must be reachable from the
subnet hosting API Management. I will also suggest you to review this
document for the setup part.
Reference: External api management service can't resolve Azure function service name - Microsoft Q&A

App Service Private Endpoint with Custom Domains gives Error 403 - Forbidden

I'm on the last stage of my journey to try and lock down public access to app. After a bunch of research I decided on using "Private Endpoints" so that only when on work VPN can we access apps. I did manage to get this to work however when I setup custom domains in the VNet it no longer works. I've looked at countless resources and even hit second page of Google a few times...
Basic Setup
I have setup a VM and an out of the box Node App Service in Azure. Both are accessible publicly. I have setup Private endpoints for the appservice and put both on the same VNet. The VM can reach the app nicely, and publicly I can't (yay!)
Here's what I see:
here's my VNet DNS settings
here's the app working on a VM on the VNet.
When it doesn't work
So the above works - but I want to supply my own DNS servers so I can resolve stuff on our internal network which is peered to the VNet. All I do is update the DNS settings to include my custom ones and the Amazon one (just in case)
Now I get a 403 - Forbidden as if I'm accessing it externally:
Several of the tutorials mentioned updating the host file as a test (vs updating internal DNS). I believe I did this like they were showing - but same result
I'm near giving up and using a separate VNet for Inbound/Outbound since I only need the custom DNS on the outbound.
Random Resources
https://www.youtube.com/watch?v=8Zof54j8qWk&ab_channel=WintellectNOW
https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal#create-a-private-endpoint
https://learn.microsoft.com/en-us/azure/app-service/networking-features#private-endpoint
https://learn.microsoft.com/en-us/azure/app-service/networking/private-endpoint
https://learn.microsoft.com/en-us/answers/questions/264747/azure-app-service-with-private-endpoint-throws-403.html
https://learn.microsoft.com/en-us/answers/questions/11844/403-forbidden-access-is-denied.html
After azure publish my domain gives 403 error
Azure App Service Deploy returns (403) Forbidden with IP restriction
WebApp private endpoint azure vpn
Azure API Management with custom domain getting HTTP 403 error
Periodically getting 403 IP Forbidden on App Service with private endpoint
Your internal DNS should forward .azurewebsites.net zone to DNS Forwarder in Azure which then would resolve to private endpoint IP address using default Azure DNS address - 168.63.129.16.
Private Links can only be resolved from Azure (via Virtual Network Link between private DNS zone and virtual network) so without conditional DNS forwarder configured for your internal DNS, it resolves address using public DNS and that's why it doesn't work.
Take a look here at the second example (with own internal DNS server) - https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

WebApp private endpoint azure vpn

I Have implemented a azure vpn infra in azure, using azure vpn client.
The configuration and connection work just fine.
To test this, I create a private resource (azure virtual machine) allocated it inside azure vpn subnet, and tried to connect using the private ip of the vm while connected to the vpn client, and it did work just fine.
Now I wanted to do the same experiment using azure web app private endpoint following this guide:
https://www.varonis.com/blog/securing-access-azure-webapps/#webapp
I have a point to site connection not a site to site.
I did created the web app and placed it inside the vpn subnet. But the problem is, even if I am connected to the vpn client, I get the error 403 forbidden no matter if I am connected to the vpn or not.
Did this error occurred to somebody who can kindly help me to understand the nature of this issue and how to overcome it?
Thank you very much for your help
Nayden Van This might be occurring for a number of reasons such as forgetting to include the A record for the privatelink URL in the custom DNS server or there might be an internal proxy blocking *.azurewebsites.net.
The most common issue is DNS. Please review the DNS integration content found here to ensure you have correctly configured your DNS for use with privatelink.

Azure App Gateway with Internal API Management 503 backend server error

I am following up this doc series to set up an internal API management instance integrated with APP Gateway in azure. I followed everything to the detail:
Created a new resource group
Setup a Vnet with 3 subnets
And setup a private dns zone and link the vnet
And then created self-signed certificates to be used with the dns created in private dns zone
Created API management instance and added custom domains
Created a App Gateway with public IP and setup routing rules and backends and setup health probes with path /status-0123456789abcdef for APIM
But now I am getting this backend health error as below:
Can someone tell me what I am doing wrong?
Are there any security groups to be configured? I am using an internl mode for the APIM, and when I even try to test the default API (which is echo test) it gives the below error:
Why this is not working? If you need any more information, I will let you know (update the question). Can someone please help me?
I have a similar situation which was driving me insane. I must have changed everything I possibly could. The answer, was to create a custom health probe and at the very bottom of the HTTP settings it was an option to use the custom probe.
Since the Gateway URL is not registered on the public DNS, the test console available on the Azure portal will not work for Internal VNET deployed service. Instead, use the test console provided on the Developer portal.
You can find more details here.

Resolving On-Premise DNS and Google Cloud Internal DNS Together

I have a question about Cloud DNS or Cloud VPN i don't know which is exactly related with my issue. I have a on-premise network and i have an internal dns for this network which is example.int. I've connected via Cloud VPN this on-premise network with a Cloud VPC in my Google Cloud account.
Both of my resources can access each other correctly but my VM's in Google Cloud vpc does not resolve my dns servers in my on-premise network. For example i can access my on-premise server via it's ip adress from Google Cloud VM but i cannot access it via on-premise-vm-1.example.int domain.
If i use my on-premise dns nameservers in resolve.conf i can access on-premise server but in that case .c..internal dns adresses do not work in my vpc. I want to use both of them.
What should i do you think? I could not find any working documentation for it. I want to resolve my on-premise and google cloud internal dns zones from my gcloud vms. Is there any way to do it without making any change on resolve.conf file in my all servers?
Thanks in advance
I try to change Cloud DNS server policies but when i try to change alternate dns servers in there, i cannot access my .internal dnsses due to metadata server. However, i cannot even access my example.int dnsses.
I also try to adding example.int dns into Cloud VPC as private dns zone. It also did not work.
In this case I would recommend to use GCP Cloud DNS private forwarding and point your desired on-prem internal DNS name to your on-prem DNS server.
Be aware that the requests will be coming from 35.199.192.0/19, son in your VPN you should include this range to be reached from your GCP project.
A workaround might be to manually create an internal Cloud DNS zone on your GCP project and manually update your DNS registries there too, the downside about this is that any change you want to make you should make it on both sides.

Resources