psmanhas
commented
4 years ago @greendx Thank you for sharing your query! We are currently investigating and will get back to you shortly on this.
Closed greendx closed 4 years ago
psmanhas
commented
4 years ago @greendx Thank you for sharing your query! We are currently investigating and will get back to you shortly on this.
amanmcse
commented
4 years ago @greendx I tested your suggestion but I couldn't get the Hub subscription listed while creating private endpoint. Even after adding the logged-in user as owner to hub subscription, I can see the only subscription where Key Vault is created.
@ShaneBala-keyvault could you please check if this is possible? Reassign:ShaneBala-keyvault
greendx
commented
4 years ago Hi - It wasn't so much a suggestion, more of an observation that it's possible in the portal interface to select a different subscription at that step but then even if you do select your HUB subscription, in the Private DNS zones drop box you are only presented with DNS zones in the VNET of the endpoint (spoke sub) so this doesn't work.
Ultimately the question is: How can you integrate and configure private DNS centrally in a HUB with key vaults in Spokes in a hub & spoke subscription model?
ShaneBala-keyvault
commented
4 years ago Hello, this configuration is possible, but it requires a manual configuration using PowerShell.
You must link the Private DNS Zone with your vnet that has the private link connection, AFTER the Private link is created. This means that when you create the private link connection initially, you must choose "No" when you are presented with the option to integrate with private DNS zone. Then you must configure the private zone dns manually by linking the vnet and creating an A record.
Here are the commands in PowerShell: https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#link-the-virtual-network
Here are a list of troubleshooting steps if you run into issues:
• You don't have a Private DNS Zone resource, or it's using the wrong name. You must have a Private DNS Zone resource with the exact name: privatelink.vaultcore.azure.net.
• The Private DNS Zone is not linked to the Virtual Network. This way any DNS query originating from the virtual network will not use the private DNS zone and the public IP address will be returned. You can check and fix this in Azure Portal. Open the Private DNS Zone resource and click the Virtual network links option. The virtual network that will perform calls to the key vault must be listed. If it's not there, add it.
• The Private DNS Zone is missing an A record for the key vault. Still in the Private DNS Zone page, click Overview and check if there is an A record with the simple name of your key vault (i.e. fabrikam). Do not specify any suffix. Make sure you check the spelling, and either create or fix the A record. You can use a TTL of 3600 (1 hour). Make sure you specify the correct private IP address as explained below.
• The A record has the wrong IP address. You can confirm the IP address by opening the Private Endpoint resource in Azure Portal (which is the Microsoft.Network/privateEndpoints resource, i.e. not the Key Vault resource), then in the Overview page look for Network interface and click that link. It will show the Overview of the NIC resource, which contains the property Private IP address. That is the correct IP address that must be specified in the A record.
ShaneBala-keyvault
commented
4 years ago
How can I get this configured with a Private DNS Zone located in another subscription?
I need to configure Azure Private Link between multiple Key Vaults located in spoke subscriptions to VNETs in their own subscriptions. I would like to use a single shared Private DNS Zone located in my HUB subscription. When following instructions in this document, Step 6 says "Leave the "integrate with the private zone DNS" option unchanged." Leaving the option unchanged creates a Private DNS zone in the subscription/VNET of the Key Vault and you end up with private zones in multiple subscriptions/VNETs.
Is it actually possible to use a centralized private DNS zone in a HUB subscription and configure resources such as Key Vault in spoke subscriptions to use private endpoints with centralized integrated private DNS?
I'm seeing multiple articles and design documents recommending azure private DNS based in a hub subscription but can't seem to figure out how to actually make this work.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.