Split-brain DNS with Privatelink domains and Internet Fallback

Disclaimer: While I work for Microsoft, this article does not represent a recommended or validated architecture. It reflects my personal thoughts on a possible usage scenario.

There's a new Azure Private DNS feature that allows fallback to Public DNS record if private one is not defined.

Private DNS zones and the feature itself is perfectly explained in the official documentation and in blog posts of my coworkers, and I won't even try to repeat this. (John Savill, Jose Moreno, Official Doc)

They are mostly created for Private Endpoint support for services provided by Microsoft.

However, anyone can use the same feature to create Split-brain DNS for their own domain.

Several use cases, besides Microsoft-provided services using Private Endpoints, that can be useful

Use case 1. Corporate Split-brain DNS

Imagine, you have different website versions for external and internal users.

With Private DNS zones it was possible to create split DNS before, however, managing all the records that could appear in your doman for both public and private users is not the easy task

Using new Internet Fallback feature you need to configure only the records in Private DNS zone that should differ, and omit all other record, that will resolve to internet addresses.

Use case 2. VMs

In my lab I use a lot of VMs in different regions to check connectivity, latency, performance, VPN and so on. Sometimes use VMs as jump boxes for another ones.

I prefer connecting to these VMs using FQDN, rather than figuring out their IP addresses each time I use them (especially if that's IPv6).

Initially I just used Alias DNS records in Azure that pointed directly to VM.

Over time, this evolved to 

Public DNS Zone vm.lvl80.net, has 2 records for this VM:

vm1.(vm.lvl80.net) --> CNAME vm1.privatelink.lvl80.net 

vm1.privatelink.(lvl80.net) -> Alias to Vm1 Public IP

(yes, you can have names with the dot, and there's no need to create separate zone for it.)

Private DNS zone: privatelink.vm.lvl80.net, needs to be attached only to the Vnets, and has: both options enabled: Fallback to internet and Auto-registration.


Consequently, VM name resolves to different IP, depending on the place of resolution:

Global Internet:

Azure Vnet:

Private DNS Zone Internet Fallback and Auto-Registration both come into play here. You can create separate Private DNS zones for separate groups of VMs, maintaining same Domain name space.

Use case 3. Your own Privatelink services in Azure

You may have your own application(s) providing connectivity via Public and Privatelink IPs. Private DNS zone internet fallback will be useful here as well. Same approach as for Microsoft-provided services.

Comments

Post a Comment

Popular posts from this blog

Traceroute in Azure

Image
Is it possible to traceroute in Azure? Despite a lot of negative statements, it is totally possible. Take a look: IPv4: IPv6: All you need is to meet 2 conditions here: Add Network Security Group rule allowing Inbound ICMP to this VM from Any source Configure VM with explicit instance-level public IP. Here's explanation for these conditions: 1. ICMP All the NSG rules in Azure, explicit or implicit, are stateful. This includes ICMP. As you may know, traceroute works by sending IP packets with very short TTL (starting with 1). Each router on the path is decreasing TTL by one, and the router that decreases packet TTL to 0, must drop it and should send ICMP message packet TTL Expired in transit. ICMP message will return to VM from the router, not from VM we are sening probes to. But NSG rules are only ready to receive responses from the end host. Opening ICMP inbound for all the hosts allows ICMP "Expired in transit" packets to reach original VM, and work tracert properly. 2....
Read more