I have an azure network set up with the default Azure DNS.
All the VMs are ubuntu.
When I try to access another VM on the network via the public DNS name it resolves to the public IP.
How do I make it resolve to the internal IP when I request it from the virtual network (and obviously still resolve to the public IP when requested externally).
I'm interested in cli answers as well as configurations through the portal.
Azure DNS for IaaS and PaaS solutions
Please see this article for more information on Azure's own DNS service associated with virtual networks. In short
When role instances and VMs hosted in Azure need to resolve domain
names to internal IP addresses, they can use one of two methods:
Azure-provided name resolution
Name resolution that uses your own DNS server (which might forward queries to the Azure-provided DNS servers)
The type of name resolution you use depends on how your VMs and role
instances need to communicate with each other.
Azure DNS Private Zones (in preview)
There's also a relatively new service called, Azure DNS Private Zones that allow you to set up a private DNS service to be used with, for example virtual networks.
This service allows you to set up a private domain and private IPs for your machines. See this page for more information and some common usage scenarios.
Also, see this this feature suggestion:
Enable split DNS for providing both public and internal name resolution to VMs in the VNET
Related
How can we allow application workloads to manage their own DNS entries when their VMs also need to be joined to an AADDS domain (without violating the principal of least privilege)?
Background
We have the following network configuration:
A Hub VNET containing an Azure AD Domain Services (AADDS) managed domain called mydomain.co.uk. This VNET will also host a VNET Gateway, a Bastion instance and a couple of management VMs.
Multiple "environment" VNETs, all peered to the Hub, to run application workloads. These workloads all currently running on on domain-joined VMs & VMSSs that are behind both an Standard Load Balancer (for internal traffic), and an Application Gateway (for public traffic). The IP addresses of those load balancers and App Gateways need to be resolvable via DNS.
Requirements
We would like all applications to be resolvable using the same TLD domain - both internally and externally (e.g. myapp.env1.mydomain.co.uk should work internally and externally).
The Hub is created by a single pipeline running a terraform configuration that is maintained by the Platform team. The platform Team should not need to be involved when provisioning environments.
Each environment is created by its own pipeline, running terraform configurations that are maintained by the various Product Teams. The Product Teams should be able to spin up & destroy environments without any input from the Platform Team.
Problem
Public DNS resolution was easy to setup. We simply granted each environmental pipeline permission to register records in an Azure public DNS zone. The problem arose when we tried to solve internal DNS Resolution.
We tried creating a Private DNS zone for `mydomain.co.uk and linking it to the environmental VNETs. Unfortunately, the VMs in those VNETs then fail to join to the domain due to the lack of domain SRV records (these are created by default in AADDS). So it seems that AADDS requires that any VNETs containing VMs that want to join to the domain use its IP addresses for DNS resolution. This means any apps running on those VMs must send their DNS query to AADDS, not to an Azure Private DNS Zone.
We thought about giving the environment pipelines permission to create records in the AADDS DNS zone. Unfortunately, the Microsoft docs say that only users that are members of the "AAD DC Administrators" group can add/remove DNS records. This is far too much power to give to the environmental pipelines (it would allow them to delete other workloads' VMs from the domain for example).
We then tried linking the Private DNS zone to the Hub VNET, in the hope that we could configure AADDS to forward any DNS requests that it can't resolve to Azure DNS. Unfortunately, AADDS does not forward any DNS requests for mydomain.co.uk onto Azure DNS - presumably because it believes it is authoritative for that zone.
Is there another mechanism that we haven't thought of yet?
• Since, you want the app workloads running on VMs in the spoke virtual network to search or forward the DNS requests from the Azure private DNS zone to the AADDS, you can surely leverage the functionality of conditional forwarder in this regard. Thus, to use this functionality, you would need to configure a VM as a ‘Domain Controller’ for this managed domain and associate it in a subnet that is reachable to all the domain joined resources in the hub and spoke virtual network model.
To join a VM to a managed domain and configure it as a ‘Domain Controller’ for serving the full features of ADDS and DNS, kindly refer to the below link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#before-you-begin
Also, to configure the conditional forwarder in AADDS joined VM configured as a DC, ensure to install DNS Server tools, and use the DNS console to manage the records in AADDS as well as follow the steps below to configure a conditional forwarder in the AADDS VM: -
a) Login to a VM and open the ‘Administrative Tools’ --> ‘DNS’ --> DNS Management Console opens --> Connect to DNS Server dialog
b) Select Conditional Forwarders, then right select and choose New Conditional Forwarder --> enter the other DNS domain such as for example, ‘contoso.com’, then enter the IP addresses of the DNS servers for that namespace as shown below: -
c) Check the box for Store this conditional forwarder in Active Directory, and replicate it as follows, then select the option for ‘All DNS servers in this domain’, as shown in the following example: -
‘Conditional forwarder should be stored in the domain, not in the forest’
d) Name resolution of the resources in other namespaces from VMs connected to the managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers (Azure private DNS zone) and from there, the Azure VMs mapped or registered in there will be forwarded the DNS requests accordingly.
Thus, in this way, if you configure AADDS to forward any DNS requests to the Azure private DNS zone with the help of conditional forwarder, you would be able to forward the DNS requests for ‘mydomain.co.uk’ to the Azure private DNS zone for further resolution.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders
A comment on the above answer (thanks #Kartik), led me to the ultimate answer... which is that I'm trying to do something that is not recommended by Microsoft :-(
Apparently, I shouldn't be using the same name for both my AADDS managed domain and my application workloads:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#create-a-managed-domain
If you create a custom domain name, take care with existing DNS namespaces. It's recommended to use a domain name separate from any existing Azure or on-premises DNS name space.
For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of aaddscontoso.com. If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.
It seems I am going to have to:
Choose another name for my managed domain (e.g. aadds.mydomain.co.uk)
Set all VNETs to use it for DNS resolution.
Setup a DNS forwarder to an Azure Private DNS zone containing the records for my workloads (mydomain.co.uk).
I have the following situation:
If I deploy an application (Deployment, Service and Ingress) in my kubernetes cluster, my ingress deployment is being automatically added to my application gateway (I am using the Azure Application Gateway Ingress Controller; https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ ). So far so good.
That means that my application can be reached via my application gateway via https://my-app-gateway-public-ip/myAppPath/. Also, I have an additional private DNS zone which makes my app accessible via https://dns-name/myAppPath.
Additionally, we have an AADDS in combination with a Bastion Service. Deployed some virtual machines and the virtual machines use the DNS resolver of the AADDS (for authentication against the AAD).
The problem is: If I am outside of the cloud, I can nslookup the dns or can access the site via the ip, but I cannot do that with my virtual machines. My DNS server (within the AADDS) is unable to resolve the dns or accessing the ip. I am wondering what the issue is.
The bastion and AADDS are in different subscriptions and therefore different virtual networks. I established already a peering between those virtual networks (or the authentication between the AADDS and the VMs wouldn't work).
The kubernetes cluster and the application gateway are also in a different subscription, but no peering has been done so far.
Are there any hints what I could be missing?
Kind regards
• Since, you are using a Bastion gateway server to connect to the VMs hosted in your subscription, the Bastion gateway server must be having a public IP address through which then the registered underlying VMs can be connected to via private links created in the private DNS zones associated with a particular virtual network in a subnet and an assigned private IP address and a FQDN accordingly. Thus, if you want to access the application website hosted behind the application gateway, then you will have to create a conditional forwarder in the DNS zone in AADDS to redirect the internal requests from the VMs hosted within a virtual network to the public IP address of the website hosted behind the application gateway
• Thus, a conditional forwarder forwards the DNS resolution requests for a particular resource hosted on the public internet for which the DNS host resolution is not found or done in that DNS zone which usually serves or fulfils the requests related to internal environment. As a result, when a VM configured with a private IP is registered as a host in the internal DNS zone queries the public IP or FQDN associated with the application’s website, the DNS requests are forwarded to the public internet through the conditional forwarder and then the results are displayed in the VM’s browser for the application’s webpage. Thus, the VMs don’t need to have internet access but the DNS server should have or should forward the requests through the Internet proxy server accordingly to reach the internet.
For more information on creating conditional forwarder in AADDS, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-dns#create-conditional-forwarders
We have a virtual machine created in Azure which is using a private VNet configured with custom DNS servers in order to domain join the VM (eg. contoso.com)
Now we have a private DNS zone (eg subdomain.contoso.com) created in Azure which is linked to the same VNet as the VM. However, we are not able to resolve the private DNS entries from within the domain joined VM as I believe, Azure query the Azure private DNS with the IP 168.63.129.16
Is there a way we can forward DNS requests from a VM in Azure VNet using custom DNS servers to Azure private DNS zone linked to the same VNet?
Any help is much appreciated. Thanks.
By using Azure Private DNS, you can resolve domain names in a virtual network without the need to add a custom DNS solution.
By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today
Is there a way we can forward DNS requests from a VM in Azure VNet
using custom DNS servers to Azure private DNS zone linked to the same
VNet?
If you have created custom DNS private zone, you can enable Autoregistration feature so that DNS requests from your VM in the VNET will be forwarded to the Azure private DNS zone
I've recently setup a point to site VPN on Azure. In doing so I have created:
Azure Virtual Network
Azure Virtual Network Gateway
Azure Virtual Network Gateway IP (static)
Azure VM
I was under the impression that any VM set to use the above said Virtual Network would all share the same public IP? However it appears that the Azure VM i setup is instead using its own dynamic public IP.
Is there a way to route any VM on the Custom Virtual Network I created through one public IP? IF so - how can I do this?
According to your description, you have create a point-to-side VPN. in this scenario, we can remove the public IP addresses from VMs, then you can access your VMs with private IP addresses via VPN.
You are correct - I have the VPN working correctly. My only concern is this, it'd be great that if any of those VM's in that private network shared the same static IP - that way I could grant access to that IP in my firewall to other systems i have in other hosting platforms (as they are all typically locked down by ip).
It sounds like your reference to availablity sets may be the phrase i was looking for to further google.. i will check it out and let me know
please let me know if anything I added above changes your answer/recommendations :)
I was under the impression that any VM set to use the above said
Virtual Network would all share the same public IP?
You are talking about Azure ASM module (classic). In ASM module, VMs can use the same public IP address(NAT).
However it appears that the Azure VM i setup is instead using its own
dynamic public IP.
In Azure resource module, we can create Azure VMs with different Public IP addresses.
Is there a way to route any VM on the Custom Virtual Network I created
through one public IP?
According to your description, you have create a point-to-side VPN. in this scenario, we can remove the public IP addresses from VMs, then you can access your VMs with private IP addresses via VPN.
If you want to access those VMs from Internet and use one public IP address, we can create VMs in the same availability set, and deploy a Internet facing load balancer, then add NAT rules to them, in this way, we can access those VMs use the same public IP address and different ports.
I had a need to add additional public IP addresses to an Azure VM and found a working solution here:
Azure VM: More than one Public IP
Essentially this creates a reserved IP in Azure and then adds the reserved IP to a cloud service. Once it's bound to a cloud service it can be mapped to a VM endpoint.
This all works great but there is one bit I don't understand - The IP address of the reserved IP and the resultant VM endpoint don't match. I have to set up DNS to point to the IP address of the endpoint to make this work. Is there something I am not doing right, or is this just the way reserved VMs work?
It looks like this unanswered question is the same issue:
azure reserved IP for VM is diffrent than the given
Thanks!
The "Azure Cloud Service" is a container that provides internet connectivity to "Azure VMs". Thus, you assign the Internet facing Public IP to the Cloud Service. This article is relatively good at explaining the relationship: Azure Cloud Services
From above link:
Here’s a definition of an Azure IaaS cloud service that will make it easy for you to understand what it is in the context of Azure Infrastructure Services:
A cloud service is a network container where you can place virtual machines.
All virtual machines in that container can communicate with each other directly through Azure (and therefore don’t have to go out to the Internet to communicate with each other).
This container is also assigned a DNS name that is reachable from the Internet.
A rudimentary DNS server is created and can provide name resolution for all virtual machines within the same cloud service container (note that name resolution provided by the DNS server is only available to the virtual machines that are located within the cloud service).
One or more Virtual IP Addresses (VIPs) are assigned to the container and these IP addresses can be used to allow inbound connections from the Internet to the virtual machines.
Certain services (like FTP) may require your vm have a public IP: Azure VM Public IP
(IaaS v1) An Azure cloud service comes with a permanent DNS name - something.cloudapp.net - and has a single VIP allocated whenever there are VMs deployed in it OR whenever a reserved IP address is associated with it. Traffic is either load balanced or NATted (port forwarded) to the VM from the Azure Load Balancer sitting on the VIP. You can also associate a public instance-level IP address (PIP) with a VM, which gives it an additional IP address. The VIP always has a DNS name (something.cloudapp.net) while the PIP has one only if you specifically add it, I did a post which goes into these differences.
(IaaS v2) VMs are not deployed into cloud services and only have a public IP address if one is specifically added - either by configuring a PIP on the NIC of the VM (and optionally giving it a cloudapp.azure.com DNS name) or by configuring a load balancer and either load balancing or NATting traffic to it. This load balancer is configured with a public IP address and can optionally have a cloudapp.azure.com DNS name associated with it. (Ignoring internal load balancers in this discussion.)