search

Azure / ALZ-Bicep

This repository contains the Azure Landing Zones (ALZ) Bicep modules that help deliver and deploy the Azure Landing Zone conceptual architecture in a modular approach. https://aka.ms/alz/docs
MIT License
754 stars 505 forks source link

Firewall and DNS Private Zones Virtual Network Links not supported? #803

Closed renebrandnewday closed 2 months ago

renebrandnewday commented 3 months ago

What happened? Provide a clear and concise description of the bug, including deployment details.

Context

Initially no problems. But after a while, when re-deploying the ALZ Hub again, errors appeared. The effect was that no changes to ALZ Firewall and Firewall Policies could be deployed using the standard ALZ Pipeline Script. Error message. Provisioning state failed.

Investigation It seemed that especially 'privatelink.blob.core.windows.net' Virtual Network Link to Hub Network caused issues. That was investigated by Microsoft Support. Microsoft Support also reported that the Azure Firewall has known issues with the Private DNS Zones. See https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues. They advised to remove the Private DNS Zones Virtual Network Links to the Hub Network

image

Question Are there known issues or best practices using 'DNS Private Zones Virtual Network Links' to ALZ Hub with an Azure Firewall?

Please provide the correlation id associated with your error or bug.

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

What was the expected outcome?

ALZ Firewall and Firewall Policies can be deployed using the standard ALZ Hub Pipeline Script.

Relevant log output

"properties": { "statusCode": "Conflict", "statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceDeploymentFailure\",\"target\":\"/subscriptions/66666-66666-66666-66666-66666/resourceGroups/rg-alz-connectivity-prod-we/providers/Microsoft.Network/firewallPolicies/fw-hub-policies-prod-we/ruleCollectionGroups/AzureCommonApplicationRules\",\"message\":\"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"FirewallPolicyUpdateFailed\",\"message\":\"Put on Firewall Policy fw-hub-policies-prod-we Failed with 1 faulted referenced firewalls\"}]}}", "eventCategory": "Administrative", "entity": "/subscriptions/66666-66666-66666-66666-66666/resourcegroups/rg-alz-connectivity-prod-we/providers/Microsoft.Network/firewallPolicies/fw-hub-policies-prod-we/ruleCollectionGroups/AzureCommonApplicationRules", "message": "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write", "hierarchy": "66666-66666-66666-66666-66666/alz/alz-it-alz/alz-it-alz-connectivity/66666-6666-666-6666" }

Check previous GitHub issues

Code of Conduct

jtracey93 commented 3 months ago

Hey @renebrandnewday,

Thanks for the issue.

The errors you were seeing are a common thing im afraid with azure firewall sometimes as you can see from this previous issue https://github.com/Azure/ALZ-Bicep/issues/530

The question around private DNS zones is a new one for us, however it doesnt seem related and only seems to suggest that if the Private DNS Zones are linked to the VNET where the AZ FW is deployed, the AZ FW will not resolve against the Private DNS Zones.

Therefore you need to configure the Azure Firewall Custom DNS Server and point it to a Private DNS Resolver inbound endpoint or a custom DNS server IP and potentially make it act as a DNS proxy also for consistent resolution for clients and the AZ FW.

Hope that makes sense and helps

renebrandnewday commented 3 months ago

We are using the default settings for ALZ Firewall policy DNS. Which is

When this problem occurred. Together with the PTA team we could make the firewall in a SUCCEED state by unlinking the privatelink.blob.core.windows.net and GET/SET operation again. So, without deleting and redeploying the Azure Firewall.

jtracey93 commented 3 months ago

Sounds like the issue is "Use the Default (Azure provided)" as that what the known issue is referring to and saying is not supported.

Could you share the support ticket number with me?

renebrandnewday commented 2 weeks ago

Sorry, for the late reply. The case created was:

Case 2407090040002495  Your question was successfully submitted to Microsoft Support TrackingID#2407090040002495

Why ALZ links by default to the firewall subnet? Or isn't it?

jtracey93 commented 2 weeks ago

@renebrandnewday did you get a new reply from support?

ALZ links the private DNS zones to the connectivity VNET where the azure firewall is located.

Have you tried configuring a custom dns server on the azure firewall instead of using the azure default?