search

Azure / appservice-landing-zone-accelerator

The Azure App Service landing zone accelerator is an open-source collection of architectural guidance and reference implementation to accelerate deployment of Azure App Service at scale.
https://build.microsoft.com/en-US/sessions/58f92fab-3298-444d-b215-6b93219cd5d7?source=sessions
MIT License
200 stars 95 forks source link

Private DNS in Spoke vs Hub #187

Open kunalbabre opened 9 months ago

kunalbabre commented 9 months ago

Review Private DNS implementation, should it be in Hub vs Spoke as per LZ guidance

FunLow commented 4 months ago

As a suggestion as this isn't getting clear to me through the documentation:

How should Application / Workload teams handle the creation for required DNS Entries ?

Suggesting that i have a hub-spoke network topology where the central hub is linked to all the Private DNS Zones and the DNS will be resolved using a Central DNS Server (e.g Firewall, Custom DNS Server). In this scenario an application team / Workload team wants to publish an application only internally for other application teams. The Domain for the DNS Entry looks like "myapp.stage.myorg.internal" part of the DNS Zone "stage.myorg.internal".

Who is Responsible for the Creation of the DNS Entry ? I would assume in general the platform team but thinking about this this means the application teams have to get in contact for almost each DNS entry ( Excluding the default azure domains like azurewebsites.net and others). This also implies that the platform team has to manage a lot of DNS Requests in larger organizations per day. Expecially with resource types like Azure Kubernetes Service where a deployment of a new Endpoint is very easy this sounds like a lot of effort. Also i wouldn't like to restrict the Application Team in something like there Dev environment to allow them to create new Applications published via DNS for testing purposes.

In case Workload Team is responsible:

Should each Workload Team manage its own DNS Zone ? As in case the workload Team is responsible there might not be aware of other Teams using the DNS Zone what could lead to a potential conflict between multiple teams trying to provision the same DNS Entry in the same DNS Zone. For that reason it sounds resonable to create a DNS Zone per Spoke ( Application Team) to prevent those conflicts. But how are they supposed to manage them if they should not be allowed to access the connectivity subscription by themself.

In case Platform Team is responsible: How is the workflow supposed to be between Platform and Workload team? As all DNS Entries have to be managed by the platform team. Each Workflow team must send a request to the platform team for any DNS Entry they require. This is time consuming and might results in Failures due to communication in the organization.

Is there a way to automate Provisioning of DNS Entry Requests ? I was thinking about something similiar to the Firewall Manager where an Approval Process can be used to create new Firewall rules requested by certain Workload Teams.

In case im here at the wrong place please guide me to the appropriate place. Thanks in advance.

Cheers