search

Azure / caf-terraform-landingzones

This solution, offered by the Open-Source community, will no longer receive contributions from Microsoft. Customers are encouraged to transition to Microsoft Azure Verified Modules for continued support and updates from Microsoft. Please note, this repository is scheduled for decommissioning and will be removed on July 1, 2025.
https://github.com/aztfmod/caf-terraform-landingzones
MIT License
761 stars 666 forks source link

[bug] Issue with attaching privatelink.monitor.azure.com to the hub vnet #298

Open fethidilmi opened 2 years ago

fethidilmi commented 2 years ago

Describe the bug We deployed the privatelink.monitor.azure.com private dns zone and attached it to our hub vnets. This caused an issue with resolving dc.services.visualstudio.com from landing zones, as shown by this screenshot: image

Apparently, this is a known issue by the azure monitor team (which requires us to attach this private zone to spoke vnets) as shown here: image

This is not possible in the contexte of our enterprise-scale deployment.

Indeed, we configured our spoke vnets to use the hub's azure firewall as a dns resolver, which in turn redirects dns requests to dedicated vms in the hub vnet that can resolve on premise networks as well.

Since the vms are using azure custom dns for non-onpremise targets (i.e. 168.63.129.16), we ended up having this dns resolution path on few fqdns (which the dns resolution path includes azure monitor).

As this private link zone is deployable through the module, this will lead to the same incident for those who deploy it.

buysoft commented 7 months ago

@fethidilmi, I am facing this issue right now aswell. What did you do to solve this?