This reference implementation is based on Cloud Adoption Framework for Azure and provides an opinionated implementation that enables ITSG-33 regulatory compliance by using NIST SP 800-53 Rev. 4 and Canada Federal PBMM Regulatory Compliance Policy Sets.
The implementation of DNS Private Resolver here doesn't match the recommendation in CAF or other docs. The MS Cloud Adoption Framework guidance has the DNS Private Resolver in the hub vnet. The benefits of placing into the hub rather than the identity spoke:
no need to create new network links from resolver to spokes
private endpoint DNS zones are already in hub, and logic exists to link to hub vnet already
fewer peer traversals for DNS queries (slight cost impact)
The implementation of DNS Private Resolver here doesn't match the recommendation in CAF or other docs. The MS Cloud Adoption Framework guidance has the DNS Private Resolver in the hub vnet. The benefits of placing into the hub rather than the identity spoke:
Describe the solution you'd like Have an option for deploying the resolver into the hub vnet.