Review and update private DNS zones for private endpoint

[krowlandson]

Description

Since the addition of private DNS zones for private endpoint support in the ALZ Portal accelerator, the list of services supporting private endpoint has grown.

There also appear to be a few changes in the documented zones required for services already included in the deployment templates.

Having done a quick review of the latest documented DNS zones, it appears we have some differences which need to be resolved as follows:

Private link resource type / Subresource	Status
Azure Automation / (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker	no changes identified
Azure SQL Database (Microsoft.Sql/servers) / sqlServer	no changes identified
Azure SQL Managed Instance (Microsoft.Sql/managedInstances)	needs testing to verify works with privatelink.{dnsPrefix}.database.windows.net format
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Sql	no changes identified
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand	no changes identified
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Dev	no changes identified
Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) / Web	no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Blob (blob, blobsecondary)	no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Table (table, tablesecondary)	no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Queue (queue, queuesecondary)	no changes identified
Storage account (Microsoft.Storage/storageAccounts) / File (file, filesecondary)	no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Web (web, websecondary)	no changes identified
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) / Data Lake File System Gen2 (dfs, dfssecondary)	no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Sql	no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / MongoDB	no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Cassandra	no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Gremlin	no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Table	no changes identified
Azure Batch (Microsoft.Batch/batchAccounts) / batchAccount	need to verify whether current regional implementation is correct
Azure Batch (Microsoft.Batch/batchAccounts) / nodeManagement	need to verify whether current regional implementation is correct
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) / postgresqlServer	no changes identified
Azure Database for MySQL (Microsoft.DBforMySQL/servers) / mysqlServer	no changes identified
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) / mariadbServer	no changes identified
Azure Key Vault (Microsoft.KeyVault/vaults) / vault	no changes identified
Azure Key Vault (Microsoft.KeyVault/managedHSMs) / Managed HSMs	no changes identified
Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) / management	need to validate region format is correct and check requirements for {subzone}.privatelink.{region}.azmk8s.io zone
Azure Search (Microsoft.Search/searchServices) / searchService	no changes identified
Azure Container Registry (Microsoft.ContainerRegistry/registries) / registry	need to test whether regional zones work as expected for {region}.privatelink.azurecr.io
Azure App Configuration (Microsoft.AppConfiguration/configurationStores) / configurationStores	no changes identified
Azure Backup (Microsoft.RecoveryServices/vaults) / AzureBackup	no changes identified
Azure Site Recovery (Microsoft.RecoveryServices/vaults) / AzureSiteRecovery	need to check as zone is now documented as being regional, i.e. privatelink.{region}.siterecovery.windowsazure.com
Azure Event Hubs (Microsoft.EventHub/namespaces) / namespace	no changes identified
Azure Service Bus (Microsoft.ServiceBus/namespaces) / namespace	no changes identified
Azure IoT Hub (Microsoft.Devices/IotHubs) / iotHub	no changes identified
Azure Relay (Microsoft.Relay/namespaces) / namespace	no changes identified
Azure Event Grid (Microsoft.EventGrid/topics) / topic	no changes identified
Azure Event Grid (Microsoft.EventGrid/domains) / domain	no changes identified
Azure Web Apps (Microsoft.Web/sites) / sites	no changes identified
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) / amlworkspace	no changes identified
SignalR (Microsoft.SignalRService/SignalR) / signalR	no changes identified
Azure Monitor (Microsoft.Insights/privateLinkScopes) / azuremonitor	no changes identified
Cognitive Services (Microsoft.CognitiveServices/accounts) / account	no changes identified
Azure File Sync (Microsoft.StorageSync/storageSyncServices) / afs	need to check as zone is now documented as being regional, i.e. privatelink.{region}.afs.azure.net
Azure Data Factory (Microsoft.DataFactory/factories) / dataFactory	no changes identified
Azure Data Factory (Microsoft.DataFactory/factories) / portal	no changes identified
Azure Cache for Redis (Microsoft.Cache/Redis) / redisCache	no changes identified
Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) / redisEnterprise	no changes identified
Microsoft Purview (Microsoft.Purview) / account	no changes identified
Microsoft Purview (Microsoft.Purview) / portal	no changes identified
Azure Digital Twins (Microsoft.DigitalTwins) / digitalTwinsInstances	no changes identified
Azure HDInsight (Microsoft.HDInsight)	no changes identified
Azure Arc (Microsoft.HybridCompute) / hybridcompute	no changes identified
Azure Media Services (Microsoft.Media) / keydelivery, liveevent, streamingendpoint	no changes identified
Azure Data Explorer (Microsoft.Kusto)	missing
Azure Static Web Apps (Microsoft.Web/staticSites) / staticSites	missing
Azure Migrate (Microsoft.Migrate) / migrate projects, assessment project and discovery site	missing
Azure Managed HSM (Microsoft.Keyvault/managedHSMs) / managedhsm	missing
Azure API Management (Microsoft.ApiManagement/service) / gateway	missing
Microsoft PowerBI (Microsoft.PowerBI/privateLinkServicesForPowerBI)	missing
Azure Bot Service (Microsoft.BotService/botServices) / Bot	missing
Azure Bot Service (Microsoft.BotService/botServices) / Token	missing

Describe the solution you'd like

Update the module to reflect the latest changes in available services with private endpoint support.

Additional context

Related to: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/482

[pkorolo]

Hello @krowlandson , findings up to now, just the ones that have relevance to ALZ RI:

1. this page (as well as the official documentation in "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" ), needs a minor fix in "Storage Account (File)", in the sense that there is no such thing as "filesecondary"
2. Azure Batch has indeed shifted from "privatelink..batch.azure.com" to "privatelink.batch.azure.com"; this is substantiated by "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" and "https://learn.microsoft.com/en-us/azure/batch/private-connectivity" ; ALZ RI needs update
3. Azure Container Registry requires {region} when geo-replicated (premium SKU) is used; details here: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link" ; indeed as-is, ALZ RI creates and associates DNS Zone for the "non-geo" scenario
4. Azure Site Recovery: although I recall seeing also myself "regional" Zones documented at some point, current version of the existing documentation, converges towards "privatelink.siterecovery.windowsazure.com" usage ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" , "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints" , "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints#create-private-dns-zones-and-add-dns-records-manually" , "https://learn.microsoft.com/en-us/azure/site-recovery/hybrid-how-to-enable-replication-private-endpoints" , etc.). NOTE: there is a minor glitch in current ALZ RI, detailed at "https://dev.azure.com/CSUSolEng/Azure%20Landing%20Zones/_workitems/edit/23128"
5. Azure File Sync: documentation contains "mixed" messaging ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" and "https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-networking-endpoints?tabs=azure-portal" , lean towards "regional", but "https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-networking-overview" says otherwise). Most possibly, ALZ RI needs updating, because as-is, reflects the "non-regional" DNS Zone implementation and association.
6. Azure Migrate: by existing docs ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" ), has been added to ALZ RI via PR 1109 (https://github.com/Azure/Enterprise-Scale/pull/1109)

[pkorolo]

Thank you @krowlandson for drawing my attention at point 5 (File Sync). Indeed, RI does not need update after all for this specific (AFS) Service PE. We keep the "privatelink.afs.azure.net" deployment, and the "{region}.privatelink.afs.azure.net" is taken care by itself, at the PE implementation time - tested this in lab. Obviously, the above matrix needs "fixing" at this point, because it mentions "privatelink.{region}.afs.azure.net" and should be "{region}.privatelink.afs.azure.net"; (actually the same stands for "privatelink.{region}.siterecovery.windowsazure.com", should be "privatelink.siterecovery.windowsazure.com"), apparently because in the meantime, documentation has been updated.

[kamilzzz]

I am wondering about scm.privatelink.azurewebsites.net zone which was added to the documentation 20 days ago (https://github.com/MicrosoftDocs/azure-docs/commit/bc032942b9c1ac1fc1d455e13887a99e612ef8af).

Should it also be deployed as a part of connectivity landing zone as a separate private DNS zone? Or maybe main privatelink.azurewebsites.net is enough, as scm.privatelink.azurewebsites.net is basically just a subzone of the main zone?

[pkorolo]

I am wondering about scm.privatelink.azurewebsites.net zone which was added to the documentation 20 days ago (MicrosoftDocs/azure-docs@bc03294).

Should it also be deployed as a part of connectivity landing zone as a separate private DNS zone? Or maybe main privatelink.azurewebsites.net is enough, as scm.privatelink.azurewebsites.net is basically just a subzone of the main zone?

Hello @kamilzzz , main zone is enough, either via policy or manual, PE creation creates both A records in main zone, "app_name.privatelink.azurewebsites.net" and "app_name.scm.privatelink.azurewebsites.net" (verified through lab)

[pkorolo]

Related PRs: Add defaultValue for PrivateDnsZoneId parameters by krowlandson · Pull Request #1133 · Azure/Enterprise-Scale (github.com) Fix #1073 - Update Private DNS Zones for Private Link by jtracey93 · Pull Request #1141 · Azure/Enterprise-Scale (github.com) Added new built-in Policies into the Initiative by pkorolo · Pull Request #1109 · Azure/Enterprise-Scale (github.com)