Resolve Azure Internal DNS from your on prem network and Spokes vnet

Hi Everyone!

We have already implemented Hub-Spoke topology, and we are able to connect all the resources using IP from on premises network. But it is easier to use domain name instead ip directly from your virtual network. Also, If you want to use Azure Private Link, you need something which will resolve private link dns to respective ip. Other example is you have ASE v2 which comes with own domain but for your internal use you want some custom domain name which is easy to remember and also satisfy business need. So you need some service in Azure which can translate domain name to IP.

Azure provides Private DNS Zones as global service which provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, we can use our own custom domain names rather than the Azure-provided names available today.

To resolve the records of a private DNS zone from virtual network, we must link the virtual network with the zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone. In our Hub-Spokes topology hub-vnet is the ideal vnet which can be linked with private DNS zone.

What about spokes vnet? Since they are not linked with private DNS zone they will not be able to resolve domain name. Also from your on-premise network it is not possible to resolve azure internal DNS. In this post we will going to solve this issue so that azure resources can be accessible from both spokes and on-premise.

To resolve this issue, we need to deploy DNS forwarder in Azure which will be responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS Since this is common service we are going to deploy it in ManagementSubnet of hub-vnet.

We will start by creating Private DNS Zone which will be linked hub-vnet. For this demo, I am assuming you already have hub-spoke topology setup and connected with on-premise over VPN.

 1$ResourceGroupName = "dns-sandbox"
 2$ZoneName ="virtualmachine.internal"
 3$hubVnet = Get-AzVirtualNetwork `
 4              -Name "hub-vnet"
 6$zone = New-AzPrivateDnsZone `
 7           -ResourceGroupName $ResourceGroupName `
 8           -Name $ZoneName
10$link  = New-AzPrivateDnsVirtualNetworkLink `
11            -ResourceGroupName $ResourceGroupName `
12            -ZoneName $ZoneName `
13            -Name "LinkWithHub" `
14            -EnableRegistration `
15            -VirtualNetworkId $hubVnet.Id
Here I am taking Zone name as virtualmachine.internal, which means all the virtual machine created in hub-vnet will have dns name like *.virtualmachine.internal. Also I have enabled auto registration for this vnet which means any vm created in this vnet will be auto registered with this zone. Auto registration works only for virtual machines. For all other resources, you can create DNS records manually in the private DNS zone linked to the virtual network. Please note, you can enable auto registration process for vnet only for single zone. Once completed, go to resource group from azure portal, click on newly created on private DNS zone and you should have something like this - Private DNS Zone linked with hub-vnet

As I mentioned earlier, we will need DNS forwarder in hub-vnet. Let’s create that now with DNS feature enabled.

  1$LocationName = "centralindia"
  2$ResourceGroupName = "vm-sandbox"
  3$VMName = "DNSForwarder"
  4$ComputerName = $VMName
  5$VMSize = "Standard_B1ms"
  7$NetworkName = "hub-vnet"
  8$SubnetName = "ManagementSubnet"
  9$NICName = "$($VMName)-Nic"
 11$subnetAdressSpace = ""
 13$networkSecurityGroup = New-AzNetworkSecurityGroup `
 14                           -ResourceGroupName $ResourceGroupName `
 15                           -Location $LocationName `
 16                           -Name "$($VMName)-Nsg"
 18$Vnet = Get-AzVirtualNetwork `
 19            -Name $NetworkName
 20$SingleSubnet = Set-AzVirtualNetworkSubnetConfig `
 21                   -VirtualNetwork $Vnet `
 22                   -AddressPrefix $subnetAdressSpace `
 23                   -Name $SubnetName
 25$Vnet = Set-AzVirtualNetwork `
 26           -VirtualNetwork $VNET
 28$SingleSubnet = Get-AzVirtualNetworkSubnetConfig `
 29                   -VirtualNetwork $Vnet `
 30                   -Name $SubnetName
 32$NIC = Get-AzNetworkInterface `
 33          -Name $NICName
 34$PipRequired = "N"
 35if($PipRequired -eq "Y"){
 36    $Pip = New-AzPublicIpAddress `
 37              -ResourceGroupName $ResourceGroupName `
 38              -Location $LocationName `
 39              -AllocationMethod Dynamic `
 40              -Sku Basic `
 41              -Name "$($VMName)-PublicIp"
 43$ipconfig = New-AzNetworkInterfaceIpConfig `
 44               -Name "$($VMName)-IpConfig" `
 45               -Subnet $SingleSubnet -PublicIpAddress $Pip
 47else {
 48$ipconfig = New-AzNetworkInterfaceIpConfig `
 49               -Name "$($VMName)-IpConfig" `
 50               -Subnet $SingleSubnet
 53$NIC = New-AzNetworkInterface `
 54          -Name $NICName `
 55          -ResourceGroupName $ResourceGroupName `
 56          -Location $LocationName `
 57          -IpConfiguration $ipconfig `
 58          -NetworkSecurityGroup $networkSecurityGroup
 60$Credential = Get-Credential `
 61                 -Message "Enter a username and password for the virtual machine"
 63$VirtualMachine = New-AzVMConfig `
 64                     -VMName $VMName `
 65                     -VMSize $VMSize
 67$VirtualMachine = Set-AzVMBootDiagnostic `
 68                     -VM $VirtualMachine `
 69                     -Disable
 71$VirtualMachine = Set-AzVMOperatingSystem `
 72                     -VM $VirtualMachine `
 73                     -Windows `
 74                     -ComputerName $ComputerName `
 75                     -Credential $Credential `
 76                     -ProvisionVMAgent `
 77                     -EnableAutoUpdate
 79$VirtualMachine = Add-AzVMNetworkInterface `
 80                     -VM $VirtualMachine `
 81                     -Id $NIC.Id
 82$VirtualMachine = Set-AzVMSourceImage `
 83                     -VM $VirtualMachine `
 84                     -PublisherName 'MicrosoftWindowsServer' `
 85                     -Offer 'WindowsServer' `
 86                     -Skus '2019-Datacenter' `
 87                     -Version latest
 88$VirtualMachine = Set-AzVMOSDisk `
 89                     -VM $VirtualMachine `
 90                     -Name "$($VMName)-OsDisk" `
 91                     -StorageAccountType "Standard_LRS" `
 92                     -Windows `
 93                     -DiskSizeInGB 127 `
 94                     -CreateOption FromImage 
 96New-AzVM `
 97   -ResourceGroupName $ResourceGroupName `
 98   -Location $LocationName `
 99   -VM $VirtualMachine `
100   -Verbose
103# Install DNS
104$PublicSettings = '{"commandToExecute":"powershell Install-WindowsFeature -Name DNS -IncludeManagementTools"}'
106Set-AzVMExtension `
107        -ExtensionName "DNS" `
108        -ResourceGroupName $ResourceGroupName `
109        -VMName $VMName `
110        -Publisher "Microsoft.Compute" `
111        -ExtensionType "CustomScriptExtension" -TypeHandlerVersion 1.4 `
112        -SettingString $PublicSettings -Location $LocationName
Once completed, go to Private DNS Zone dashboard from Azure Portal, and you will see there is A record added for this vm automatically. Thanks to AutoRegistered! If you delete this vm, this record will be deregister automatically as well.

Now connect with this VM from on-prem (assuming you have connected with VPN) and try to connect with dnsforwarder.virtualmachine.internal. Oops! unable to connect. We will get back to this later. but for now lets connect with private ip.

Once logged in, search for DNS Manager. Right Click on the DNS Server name and click on Properties. DNS Manager Properties

Now go to Forwarder Tab and click on Edit.

Forwarder Tab

Add Azure DNS and click on OK.

Azure DNS Added

We just setup a DNS forwarder, this will help us to resolute any domain name from Azure DNS by azure recursive resolver.

Next step to setup this DNS forwarder server for all virtual networks so that all the domain name resolution should be done using this server only.

 1$dnsserver = ""
 3$hubVnet = Get-AzVirtualNetwork `
 4              -Name "hub-vnet"
 8Set-AzVirtualNetwork -VirtualNetwork $hubVnet
10$spoke1Vnet = Get-AzVirtualNetwork `
11              -Name "spoke1-vnet"
15Set-AzVirtualNetwork -VirtualNetwork $spoke1Vnet
18$spoke2Vnet = Get-AzVirtualNetwork `
19              -Name "spoke2-vnet"
23Set-AzVirtualNetwork -VirtualNetwork $spoke2Vnet
You need to restart all servers to take this effect. Also you need to delete the existing Point to Site VPN Gateway and reinstall it.

Now connect your VPN and connect the vm using DNS this time (I will assume you do not have any local DNS server setup).

PING working using DNS RDP Working using DNS

If you try the same from Spoke virtual networks it will work because all the virtual network is now pointed to DNS forwarder. We just implemented below architecture.

DNS Resolution Flow

comments powered by Disqus