This repository will help set up Azure DNS to function in a hub and spoke model with private DNS zones and use of on-premises DNS resolvers.
This ARM template deploys a virtual machine scale set consisting of 3 Ubuntu 18.04 VMs with dnsmasq installed and configured. It is deployed in a stateless configuration, so the VMs can automatically patch and self-heal in the event of a failed instance. The VMs will answer DNS queries from any host that can reach them via internal traffic (but not the internet). Queries will be forwarded to the Azure DNS servers, but domains can be configured to be delegated to on-premises servers if desired.
- Deploy via the portal
- Deploy via the command line
- Modify parameters.json as appropriate for your environment
- Required
vnetName: the name of the virtual network to deploy intovnetRGName: the name of the resource groupvnetNameis in, if not the same as the template deployment.subnetName: the name of the subnet invnetNameto usesshKey: the public key to assign tosshUser(sshUseris set toazureuserby default)
- Optional
deployExternalLoadBalancer: Needed to allow external connectivity per scenario 2 unless your network has egress enabled via a UDR to an Azure Firewall, Azure NAT Gateway, or NVA.externalLoadBalancerName: Name of the external load balancer to deploy ifdeployExternalLoadBalanceris true. Defaults tolbe-dnsfwd-<region>-001externalLoadBalancerPublicIPName: Name of the public IP for the external load balancer ifdeployExternalLoadBalanceris true. Defaults tolbe-dnsfwd-<region>-001-pipinternalLoadBalancerName: Name of the internal load balancer to deploy in front of the VM scale set. Defaults tolbi-dnsfwd-<region>-001vmssName: name of the Virtual Machine scale set. Defaults tovmss-dnsfwd-<region>-001stgAcctName: the name of the storage account to use for boot diagnostics. If not supplied, boot diagnostics will not be enabled.sshUser: the username to use for admin access via SSH. Defaults toazureuseroptionLine#, where # is 1-8: additional option lines to add to /etc/dnsmasq.conf. These can be used to direct traffic for your internal domains to other name servers as appropriate. For example, you can send traffic for your internal domainsmydomain.comandmydomain2.comto 10.0.10.10 by including the lineserver=/mydomain.com/mydomain2.com/10.0.10.10. See the DNSMASQ man page for more details.
- Required
- Deploy the template
- Using Azure CLI
az deployment group create \ --resource-group rg-hub-dnsfwd-centralus \ --template-file template-vmss.json \ --parameters @parameters.json - Using Azure PowerShell
New-AzResourceGroupDeployment ` -ResourceGroupName rg-hub-dnsfwd-centralus ` -TemplateFile .\template-vmss.json ` -TemplateParameterFile .\parameters.json
- Using Azure CLI
- Modify parameters.json as appropriate for your environment
This policy will automatically deploy a link from any private DNS zones in scope to the hub vnet where your DNS forwarders are running if one does not already exist. This is critical for having your DNS servers able to resolve private DNS zones in a spoke virtual network.
This policy will ensure that all virtual networks deployed have the DNS servers set to the values specified so that DNS lookups forward to on-premises and private DNS zones correctly.
Also provided is a script that will forward all currently used Azure Private Link DNS domains from an on-premises Active Directory DNS server to the forwarders deployed above. If you create custom private DNS zones in Azure, you will need to set your forwarding up in the same way if you want them resolvable from on premises.