AErmie
commented
2 days ago Solution 1
Originally, it was thought that if the Ministry Team created their own Private DNS Zone, and the appropriate virtual network link to their VNet, that they would be able to resolve the DNS record.
This did in fact work, but only when the Team changed the VNet DNS configuration from Custom to Default.
However, since the configuration of the spoke VNet is to use a custom DNS (aka the Azure Firewall, which is itself a proxy to the Private DNS Resolver), changing the VNet DNS configuration is not an option.
Solution 2
The final solution that worked, and that still satisfied the VNet custom DNS requirement (so that proper DNS logging occurs), was to allow the Ministry Team to create their custom Private DNS Zone (so that they could self-manage the DNS A-Records), and attach that Zone to the Private DNS Resolver VNet (similar to how all the Azure-based Private DNS Zones are linked).
This enabled the proper DNS resolution and logging, while empowering the Ministry Team to not have to rely on the Platform team to create/update/delete DNS A-Records.
Scenario
A Ministry team requests a customization or exception to their Project Set. In this scenario, a team is trying to use Confluent Cloud, and requires Private Endpoints, a Private DNS Zone, and DNS A-Records.
Reference Confluent Cloud documentation:
According to the above referenced documentation, a custom Private DNS Zone needs to be created. However, the DNS Zone Name needs to "Use the Confluent Cloud DNS domain value from the Networking under Cluster Overview in the Confluent Cloud Console." This uses the pattern of
4kgzg.centralus.azure.confluent.cloud.This means that for each Confluent Cloud cluster, a separate Private DNS Zone is required (ie. you cannot use
*.azure.confluent.cloudor*.canadacentral.azure.confluent.cloud.