search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.25k stars 21.42k forks source link

Zone level forwarding is sometime not correct. #105326

Closed ms-ishiyam closed 4 months ago

ms-ishiyam commented 1 year ago

If you have multiple Azure platforms you connect to from on-premise, zone level forwarding may not be correct. Because some clients connecting to the other Azure platform can not resolve the FQDN and fail to connect to Azure Database which host the domain of "database.windows.net". So I would like you to add some comments to avoid such situation. I think we should use FQDN level forwarding to avoid such situation.

https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

Important

The conditional forwarding must be made to the recommended public DNS zone forwarder. For example: database.windows.net instead of privatelink.database.windows.net.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Naveenommi-MSFT commented 1 year ago

@ms-ishiyam Thanks for your feedback! We will investigate and update as appropriate.

GitaraniSharma-MSFT commented 1 year ago

@ms-ishiyam , could you please elaborate what you are referring to as "multiple Azure platforms"?

As mentioned in this section, If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

image

More details about such setup can be found in the below doc: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale?toc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Ftoc.json&bc=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fazure%2Farchitecture%2Fbread%2Ftoc.json

ms-ishiyam commented 1 year ago

@GitaraniSharma-MSFT "multiple Azure platforms" means that the customer has multiple clients and ER network in a on-premise environment like below.

Client1 (on-premise1) -------- ER1 ----- Hub1 -----Spoke1-1 Client2 (on-premise1) -------- ER2 ----- Hub2 -----Spoke2-1

I think most big customers must have this scenario. They can not use zone level conditional forwarding.

GitaraniSharma-MSFT commented 1 year ago

@ms-ishiyam , thank you for the update. We have assigned this to the content owner/author for review.

@asudbring , for your review.

asudbring commented 1 year ago

Sending to PM for review

reassign:@ivapplyr

AbdullahBell commented 4 months ago

Thanks for your dedication to our documentation. We have created an internal work item in our backlog to resolve this issue. If you determine another possible update to our documentation, please don't hesitate to reach out again. #please-close