Internal DNS address for Google Cloud internal load balancers - dns

According to this documentation page, every VM instance has a DNS entry of the following form:
hostName.c.[PROJECT_ID].internal
This would look something like:
redis.c.myproject.internal
I want to know if there is an equivalent for internal load balancers. Looking at the documentation, there doesn't seem to be anything, but that looks like a pretty big oversight.
So, is there a way to access an internal LB in GCP via a DNS entry?

There is no entry in the GCE DNS metadata server for LBs. There is an open feature request for this at https://issuetracker.google.com/issues/35904974. You can Star that request to signal your interest and subscribe to updates.

Now you can do this with Cloud DNS
Create Zone and then add your IP, it can be anything from VM to LB. whatever you want to resolve under VPC.

Related

Azure Front-Door Route to API-M returns "DNSNameNotResolved" ErrorInfo

Randomly without any warning a request to be routed to a backend process returns a 503 error. After looking into it it looks like a "DNSNameNotResolved" get returned when forwarding the request.
I tried looking around but could not find out why this happens. The appears to be no problems when routing to the backend. I also can't find the request on the Backend at all. The backend is an Azure API-M service.
When one machine has to connect to another machine, it has to perform
DNS name resolution.
The Error indicates that APIM wasn't able to convert the hostname of the backend (e.g. contoso.azurewebsites.com) to an IP address and couldn't connect to it.
The most frequent cause for this error is using an incorrect hostname while setting up the API configuration
Refer the common network configuration issues on APIM
:https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet#-common-network-configuration-issues
You may try by DNS resolution by refering : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway#set-up-custom-domain-names-in-api-management
Along with the DNS configuration
:https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain#dns-configuration
Also check if the Public IP address of APIM service is unchanged
:https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ip-addresses#changes-to-the-ip-addresses
Other References:
Tutorial to add custom domain to your front door-
https://learn.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain
Troubleshoot Azure Front Door configuration problems- https://learn.microsoft.com/en-us/azure/frontdoor/front-door-troubleshoot-routing
So according to Microsoft, the TTL on the DNS records on Front-Door is really short and thus it is very DNS aggressive, this falls within the 99.9% uptime. When this falls within the said uptime they will look into adjustments for Front-Door.

Azure private DNS zone resolving

We have a private DNS zone setup for the zone project.local. For app service instances living in an app service environment, each service has its own record pointing to the load balancer in front of the service (so all have the same IP).
We have an App Gateway instance linked to a public IP in front to make this all publiccally available. The gateway is available via a public URL and routes the request to the load balancer.
Now what we see is the following:
From external, everything is fine. We can get to the services using the external URL, gateway forwards it and all is well.
From internal, we want to use the internal DNS address set in the private zone. This is not working, calls from service to service throw an error stating that the host URL could not be resolved.
When I log into a VM in the same vNET or use the Kudu console, I'm able to resolve the DNS address to the correct IP. What I do notice is that when using nslookup, it says it's getting a non authoritative answer.
It's very hard to get any more information for debug purposes. We're not sure why resolving isn't working as per documentation these records should work for all of the components in the same vNET. The authoritative error might be related, but again: not sure. So any ideas on what else to check would be highly appreciated.
Disclaimer: I also have a support ticket open for the same question, but wanted to put this out there to see if there's anyone else who might have encountered the same since this is pretty new tech.
Azure DNS Private Zones are able to resolve names between VMs and Cloud services. It does not look like it can be used by Azure Web Apps or Azure App Services at this time. 
You can see more information on name resolution for resources in Azure Virtual Networks Here.
If you would like to request this feature be added to DNS Private Zones, you can leave your feedback Here.

Point azure hosted root domain to aws classic load balancer

I'm need to point an Azure hosted root domain/naked domain (example.com) to an AWS Elastic Load Balancer. Classic ELB's don't have IP's while A records can only point to IP's. Azure doesn't support the non-standard ALIAS/ANAME records that allow a CNAME-like configuration for A records.
Azure DNS provides a way to point to Azure cloud hosted websites using a combination of pointing the A record to the website's IP and creating a TXT record containing the DNS name of the website.
AWS Route 53 provides the ALIAS record type for connecting root domains to Load Balancers.
Is there a way to do this without resorting to using an extra server instance with a static (elastic) IP address just to do 301 redirects to www.example.com?
EDIT:I should add that since asking this question I found out that AWS network load balancers support both static and elastic IPs but we are on OpsWorks Chef 11 stacks which only supports classic load balancers.
Azure doesn't support the non-standard ALIAS/ANAME records
Note that these are not non-standard records, because they aren't record types at all. They are configuration entries that allow the nameservers to generate and return a standard A or AAAA record (or other standard types, in Route 53) based on information obtained dynamically by the nameserver, rather than based on static configuration.
But, there isn't another good solution to this. That's why these options exist.
A workaround is to use a service like http://wwwizer.com.
But your easiest and most straightforward solution is to host the domain on Route 53. This doesn't require changing your registrar -- you only have to change the authoritative nameservers. If you have subdomains that need their DNS hosted elsewhere for operational reasons, you can always delegate them. But this is a limitation of the fundamental design of DNS.

Setting internally visible DNS entries on Google cloud

I would like set DNS records visible from instances inside the Google cloud.
For example if I query DNS from my PC I'll get one IP; however if I query DNS from the instance I'll get another IP. (A record to be exact)
Ideally I'd like doing this in most sane/convenient way possible; since I can install caching DNS server on every instance and setup authorative results; and forward caching for the rest (I guess bind9 can do that, never tried it before). But this is configuration sync mess; and it's not elegant. I kinda assume there might exist a better way.
One solution is to use totally different zones for different sets of machines and use the DNS search path to select.
So for example you could set up
server1.internal.yourdomain.com IN A 1.2.3.4
server1.external.yourdomain.com IN A 5.6.7.8
Then set up your machines with resolv.conf containing either
search internal.yourdomain.com
or
search external.yourdomain.com
And then when you lookup server1 on such a machine it will return the address from the appropriate zone. This scheme means you don't need to rely complex routing or IP detection. You will be immune to incidents where internal or external IPs get leaked into each others result.
Of course this does mean that you aren't keeping any IP addresses secret, so make sure you have other security layers in place (you probably shouldn't rely on secret IPs for security anyway)
Assuming you want your VM instances to be able to query other instances by name, and retrieve the desired instance’s private IP, this is already baked into GCP.
Google Cloud Platform (GCP) Virtual Private Cloud (VPC) networks have an internal DNS service that allows you to use instance names instead of instance IP addresses to refer to Compute Engine virtual machine (VM) instances.
Each instance has a metadata server that also acts as a DNS resolver for that instance. DNS lookups are performed for instance names. The metadata server itself stores all DNS information for the local network and queries Google's public DNS servers for any addresses outside of the local network.
[snip]
An internal fully qualified domain name (FQDN) for an instance looks like this:
hostName.c.[PROJECT_ID].internal
You can always connect from one instance to another using this FQDN.
Otherwise, if you want to serve up entirely arbitrary records to a set of machines, you’ll need to serve those records yourself (perhaps using Cloud DNS). In this case, you’d need to reconfigure the resolv.conf file on those instances appropriately (although you can’t just change the file as you see fit). Note that you can't restrict queries to only your own machines, but as David also mentioned, security through obscurity isn't security at all.
Google Cloud DNS Private DNS was just announced to beta and does exactly what you need

DNS and Google Cloud Platform load balancer

I am trying to use google cloud platform for the first time and seem a bit hung up on something that I would think should be easy.
I created an instance group and am trying to create a load balancer to point both http and https traffic to that instance group. When I configured the front end for the load balancer I added both http and https; however, doing so created two ip addresses and I can only point the DNS to one of these records. I am assuming I am just missing a simple step, as I am used to working with AWS.
Any help would be much appreciated.
Think I answered my own question. I just pointed to the https ip address and both http and https requests ended up working.

Resources