DNS forwarders for Private Endpoints should only forward the specific FQDNs for your own services rather than the root of the domains #124714
Assignees
Comments
|
@airmnichols |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For this documentation:
https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/private-link/private-endpoint-dns-integration.md
It is advised that conditional forwarders should be configured for the root of the Azure services names.
This does not take in to account if users need to access Azure services hosted by another organization which also use Private Endpoints.
For example, our organiztaion has our own Azure API Management private endpoint.
We have conditional forwarding configured for azure-api.net to a DNS resolver within Azure which also has the conditional forwarder to resolve it against 168.63.129.16
Our users needed to access an API hosted by another entity which also uses Azure API Management, this entity also has a private endpoint in addition to a public endpoint for their Azure API Management instance.
The result was DNS wouldn't resolve because of how the documentation advises to forward the root of the domain.
Since the .privatelink.azure-api.net FQDN didn't exist in our tenant it failed to resolve.
The fix was to add another conditional forward for the specific FQDNs to resolve externally rather than against 168.63.129.16
In my opinion the guidance in this documentation is wrong.
You should set up conditional forwarders only for your services specific FQDNs and not the root domains to account for such scenarios.
services: private-link
author: @abell
ms.service: azure-private-link
ms.topic: conceptual
ms.author: @abell
The text was updated successfully, but these errors were encountered: