Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review and update private DNS zones for private endpoint #1073

Closed
krowlandson opened this issue Oct 7, 2022 · 5 comments · Fixed by #1141
Closed

Review and update private DNS zones for private endpoint #1073

krowlandson opened this issue Oct 7, 2022 · 5 comments · Fixed by #1141
Assignees
Labels
engineering engineering work enhancement New feature or request Status: Fixed

Comments

@krowlandson
Copy link
Contributor

krowlandson commented Oct 7, 2022

Description

Since the addition of private DNS zones for private endpoint support in the ALZ Portal accelerator, the list of services supporting private endpoint has grown.

There also appear to be a few changes in the documented zones required for services already included in the deployment templates.

Having done a quick review of the latest documented DNS zones, it appears we have some differences which need to be resolved as follows:

Private link resource type / Subresource Status
Azure Automation / (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker no changes identified
Azure SQL Database (Microsoft.Sql/servers) / sqlServer no changes identified
Azure SQL Managed Instance (Microsoft.Sql/managedInstances) needs testing to verify works with privatelink.{dnsPrefix}.database.windows.net format
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Sql no changes identified
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand no changes identified
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Dev no changes identified
Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) / Web no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Blob (blob, blobsecondary) no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Table (table, tablesecondary) no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Queue (queue, queuesecondary) no changes identified
Storage account (Microsoft.Storage/storageAccounts) / File (file, filesecondary) no changes identified
Storage account (Microsoft.Storage/storageAccounts) / Web (web, websecondary) no changes identified
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) / Data Lake File System Gen2 (dfs, dfssecondary) no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Sql no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / MongoDB no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Cassandra no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Gremlin no changes identified
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Table no changes identified
Azure Batch (Microsoft.Batch/batchAccounts) / batchAccount need to verify whether current regional implementation is correct
Azure Batch (Microsoft.Batch/batchAccounts) / nodeManagement need to verify whether current regional implementation is correct
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) / postgresqlServer no changes identified
Azure Database for MySQL (Microsoft.DBforMySQL/servers) / mysqlServer no changes identified
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) / mariadbServer no changes identified
Azure Key Vault (Microsoft.KeyVault/vaults) / vault no changes identified
Azure Key Vault (Microsoft.KeyVault/managedHSMs) / Managed HSMs no changes identified
Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) / management need to validate region format is correct and check requirements for {subzone}.privatelink.{region}.azmk8s.io zone
Azure Search (Microsoft.Search/searchServices) / searchService no changes identified
Azure Container Registry (Microsoft.ContainerRegistry/registries) / registry need to test whether regional zones work as expected for {region}.privatelink.azurecr.io
Azure App Configuration (Microsoft.AppConfiguration/configurationStores) / configurationStores no changes identified
Azure Backup (Microsoft.RecoveryServices/vaults) / AzureBackup no changes identified
Azure Site Recovery (Microsoft.RecoveryServices/vaults) / AzureSiteRecovery need to check as zone is now documented as being regional, i.e. privatelink.{region}.siterecovery.windowsazure.com
Azure Event Hubs (Microsoft.EventHub/namespaces) / namespace no changes identified
Azure Service Bus (Microsoft.ServiceBus/namespaces) / namespace no changes identified
Azure IoT Hub (Microsoft.Devices/IotHubs) / iotHub no changes identified
Azure Relay (Microsoft.Relay/namespaces) / namespace no changes identified
Azure Event Grid (Microsoft.EventGrid/topics) / topic no changes identified
Azure Event Grid (Microsoft.EventGrid/domains) / domain no changes identified
Azure Web Apps (Microsoft.Web/sites) / sites no changes identified
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) / amlworkspace no changes identified
SignalR (Microsoft.SignalRService/SignalR) / signalR no changes identified
Azure Monitor (Microsoft.Insights/privateLinkScopes) / azuremonitor no changes identified
Cognitive Services (Microsoft.CognitiveServices/accounts) / account no changes identified
Azure File Sync (Microsoft.StorageSync/storageSyncServices) / afs need to check as zone is now documented as being regional, i.e. privatelink.{region}.afs.azure.net
Azure Data Factory (Microsoft.DataFactory/factories) / dataFactory no changes identified
Azure Data Factory (Microsoft.DataFactory/factories) / portal no changes identified
Azure Cache for Redis (Microsoft.Cache/Redis) / redisCache no changes identified
Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) / redisEnterprise no changes identified
Microsoft Purview (Microsoft.Purview) / account no changes identified
Microsoft Purview (Microsoft.Purview) / portal no changes identified
Azure Digital Twins (Microsoft.DigitalTwins) / digitalTwinsInstances no changes identified
Azure HDInsight (Microsoft.HDInsight) no changes identified
Azure Arc (Microsoft.HybridCompute) / hybridcompute no changes identified
Azure Media Services (Microsoft.Media) / keydelivery, liveevent, streamingendpoint no changes identified
Azure Data Explorer (Microsoft.Kusto) missing
Azure Static Web Apps (Microsoft.Web/staticSites) / staticSites missing
Azure Migrate (Microsoft.Migrate) / migrate projects, assessment project and discovery site missing
Azure Managed HSM (Microsoft.Keyvault/managedHSMs) / managedhsm missing
Azure API Management (Microsoft.ApiManagement/service) / gateway missing
Microsoft PowerBI (Microsoft.PowerBI/privateLinkServicesForPowerBI) missing
Azure Bot Service (Microsoft.BotService/botServices) / Bot missing
Azure Bot Service (Microsoft.BotService/botServices) / Token missing

Describe the solution you'd like

Update the module to reflect the latest changes in available services with private endpoint support.

Additional context

Related to: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/482

@ghost ghost added the Needs: Triage 🔍 Needs triaging by the team label Oct 7, 2022
@jtracey93 jtracey93 added enhancement New feature or request engineering engineering work and removed Needs: Triage 🔍 Needs triaging by the team labels Nov 18, 2022
@pkorolo
Copy link
Contributor

pkorolo commented Nov 18, 2022

Hello @krowlandson , findings up to now, just the ones that have relevance to ALZ RI:

  1. this page (as well as the official documentation in "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" ), needs a minor fix in "Storage Account (File)", in the sense that there is no such thing as "filesecondary"
  2. Azure Batch has indeed shifted from "privatelink..batch.azure.com" to "privatelink.batch.azure.com"; this is substantiated by "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" and "https://learn.microsoft.com/en-us/azure/batch/private-connectivity" ; ALZ RI needs update
  3. Azure Container Registry requires {region} when geo-replicated (premium SKU) is used; details here: "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-private-link" ; indeed as-is, ALZ RI creates and associates DNS Zone for the "non-geo" scenario
  4. Azure Site Recovery: although I recall seeing also myself "regional" Zones documented at some point, current version of the existing documentation, converges towards "privatelink.siterecovery.windowsazure.com" usage ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" , "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints" , "https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints#create-private-dns-zones-and-add-dns-records-manually" , "https://learn.microsoft.com/en-us/azure/site-recovery/hybrid-how-to-enable-replication-private-endpoints" , etc.). NOTE: there is a minor glitch in current ALZ RI, detailed at "https://dev.azure.com/CSUSolEng/Azure%20Landing%20Zones/_workitems/edit/23128"
  5. Azure File Sync: documentation contains "mixed" messaging ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" and "https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-networking-endpoints?tabs=azure-portal" , lean towards "regional", but "https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-networking-overview" says otherwise). Most possibly, ALZ RI needs updating, because as-is, reflects the "non-regional" DNS Zone implementation and association.
  6. Azure Migrate: by existing docs ("https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns" ), has been added to ALZ RI via PR 1109 (Added new built-in Policies into the Initiative #1109)

@pkorolo
Copy link
Contributor

pkorolo commented Nov 22, 2022

Thank you @krowlandson for drawing my attention at point 5 (File Sync).
Indeed, RI does not need update after all for this specific (AFS) Service PE.
We keep the "privatelink.afs.azure.net" deployment, and the "{region}.privatelink.afs.azure.net" is taken care by itself, at the PE implementation time - tested this in lab.
Obviously, the above matrix needs "fixing" at this point, because it mentions "privatelink.{region}.afs.azure.net" and should be "{region}.privatelink.afs.azure.net"; (actually the same stands for "privatelink.{region}.siterecovery.windowsazure.com", should be "privatelink.siterecovery.windowsazure.com"), apparently because in the meantime, documentation has been updated.

@kamilzzz
Copy link

I am wondering about scm.privatelink.azurewebsites.net zone which was added to the documentation 20 days ago (MicrosoftDocs/azure-docs@bc03294).

Should it also be deployed as a part of connectivity landing zone as a separate private DNS zone? Or maybe main privatelink.azurewebsites.net is enough, as scm.privatelink.azurewebsites.net is basically just a subzone of the main zone?

@pkorolo
Copy link
Contributor

pkorolo commented Nov 23, 2022

I am wondering about scm.privatelink.azurewebsites.net zone which was added to the documentation 20 days ago (MicrosoftDocs/azure-docs@bc03294).

Should it also be deployed as a part of connectivity landing zone as a separate private DNS zone? Or maybe main privatelink.azurewebsites.net is enough, as scm.privatelink.azurewebsites.net is basically just a subzone of the main zone?

Hello @kamilzzz , main zone is enough, either via policy or manual, PE creation creates both A records in main zone, "app_name.privatelink.azurewebsites.net" and "app_name.scm.privatelink.azurewebsites.net" (verified through lab)

@jtracey93 jtracey93 assigned jtracey93 and pkorolo and unassigned pkorolo Nov 28, 2022
jtracey93 added a commit that referenced this issue Nov 28, 2022
* fix 1073 and update whats new

* remove whitespace in array

* added DNS zones
@ghost ghost added the Status: Fixed label Nov 28, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Dec 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
engineering engineering work enhancement New feature or request Status: Fixed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants