Firewall and DNS Private Zones Virtual Network Links not supported?
Closed this issue · 5 comments
What happened? Provide a clear and concise description of the bug, including deployment details.
Context
- The ALZ Hub v0.17.0 has been configured with an Azure Firewall Standard.
- With the ALZ Hub, DNS Private Zones are created with Virtual Network Links to the Hub Network. And seems to be directly connected with the Azure Firewall Subnet.
Initially no problems. But after a while, when re-deploying the ALZ Hub again, errors appeared. The effect was that no changes to ALZ Firewall and Firewall Policies could be deployed using the standard ALZ Pipeline Script. Error message. Provisioning state failed.
Investigation
It seemed that especially 'privatelink.blob.core.windows.net' Virtual Network Link to Hub Network caused issues. That was investigated by Microsoft Support. Microsoft Support also reported that the Azure Firewall has known issues with the Private DNS Zones. See https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues. They advised to remove the Private DNS Zones Virtual Network Links to the Hub Network
Question
Are there known issues or best practices using 'DNS Private Zones Virtual Network Links' to ALZ Hub with an Azure Firewall?
Please provide the correlation id associated with your error or bug.
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
What was the expected outcome?
ALZ Firewall and Firewall Policies can be deployed using the standard ALZ Hub Pipeline Script.
Relevant log output
"properties": {
"statusCode": "Conflict",
"statusMessage": "{"status":"Failed","error":{"code":"ResourceDeploymentFailure","target":"/subscriptions/66666-66666-66666-66666-66666/resourceGroups/rg-alz-connectivity-prod-we/providers/Microsoft.Network/firewallPolicies/fw-hub-policies-prod-we/ruleCollectionGroups/AzureCommonApplicationRules","message":"The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.","details":[{"code":"FirewallPolicyUpdateFailed","message":"Put on Firewall Policy fw-hub-policies-prod-we Failed with 1 faulted referenced firewalls"}]}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/66666-66666-66666-66666-66666/resourcegroups/rg-alz-connectivity-prod-we/providers/Microsoft.Network/firewallPolicies/fw-hub-policies-prod-we/ruleCollectionGroups/AzureCommonApplicationRules",
"message": "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write",
"hierarchy": "66666-66666-66666-66666-66666/alz/alz-it-alz/alz-it-alz-connectivity/66666-6666-666-6666"
}
Check previous GitHub issues
- I have searched the issues for this item and found no duplicate
Code of Conduct
- I agree to follow this project's Code of Conduct
Hey @renebrandnewday,
Thanks for the issue.
The errors you were seeing are a common thing im afraid with azure firewall sometimes as you can see from this previous issue #530
The question around private DNS zones is a new one for us, however it doesnt seem related and only seems to suggest that if the Private DNS Zones are linked to the VNET where the AZ FW is deployed, the AZ FW will not resolve against the Private DNS Zones.
Therefore you need to configure the Azure Firewall Custom DNS Server and point it to a Private DNS Resolver inbound endpoint or a custom DNS server IP and potentially make it act as a DNS proxy also for consistent resolution for clients and the AZ FW.
Hope that makes sense and helps
We are using the default settings for ALZ Firewall policy DNS. Which is
- DNS settings will be applied on the policy
- Use the Default (Azure provided)
- DNS Proxy is Enabled
When this problem occurred. Together with the PTA team we could make the firewall in a SUCCEED state by unlinking the privatelink.blob.core.windows.net and GET/SET operation again. So, without deleting and redeploying the Azure Firewall.
Sounds like the issue is "Use the Default (Azure provided)" as that what the known issue is referring to and saying is not supported.
Could you share the support ticket number with me?
Sorry, for the late reply. The case created was:
Case 2407090040002495 Your question was successfully submitted to Microsoft Support TrackingID#2407090040002495
Why ALZ links by default to the firewall subnet? Or isn't it?
@renebrandnewday did you get a new reply from support?
ALZ links the private DNS zones to the connectivity VNET where the azure firewall is located.
Have you tried configuring a custom dns server on the azure firewall instead of using the azure default?