An Azure Function that responds to Microsoft.Resources.ResourceWriteSuccess and Microsoft.Resources.ResourceDeleteSuccess events for Private Endpoints and Network Interfaces to automatically add DNS recordsets in the appropriate Private DNS Zone.
This is useful for enabling automatic DNS registration at scale across any number of Subscriptions and across regions. Additionally, the ability to tag a NIC with a hostname streamlines the creation of DNS entries for resources such as internal load balancers or providing alternate hostnames for VMs.
There are three steps for setting up this solution:
- Deploy the Azure Function using the included template (
./templates/azuredeploy.function.json). - Create a
Private DNS Zone Contributorrole assignment for the Azure Function's system managed identity over the scope of your private DNS zones. You'll also need to create aReaderrole assignment for the Azure Function's system managed identity for the entire scope of your environment so it can get Private Endpoints and Network Interfaces. - Create the system topic Event Grid subscriptions to be handled by the newly deployed Azure Function. For increased scalability, this template should be incorporated into a baseline Blueprint assigned to your subscriptions.
- All private DNS zones in your environment are consolidated in a single Resource Group
- Your environment utilizes a single private DNS zone VMs and Load Balancers (i.e. non-PrivateEndpoint resources)
If your environment doesn't have the Private Endpoint private DNS zones created, consider utilizing this template to deploy the DNZ zones an optionally linking to a Virtual Network:
Use the Deploy to Azure button below to begin deployment of the Azure Function. You will need to provide the following parameter values:
- location
- Defaults to Resource Group location
- name
- Name for all the resources to be created
- tenantId
- Defaults to subscription tenant
- privateDnsSubscriptionId
- ID of the Subscription which contains your environment's private DNS zones
- Defaults to subscription to which the template is being deployed
- privateDnsResourceGroupName
- Name of the Resource Group which contains your environment's private DNS zones
- defaultPrivateDnsZone
- The name of your private DNS zone for Azure VMs and internal load balancers
- Ex: azure.mycompany.net
- hostnameTagName
- Tag name to use for specifying hostnames on Network Interface resources
- zipPackageUrl
- URL to MSDeploy zip file of the code in this repo
- Defaults to the latest CI release of this repo
Use one of the following guides for creating a Private DNS Zone Contributor role assignment for the newly deploy Azure Function's system managed identity over the private DNS zone scope and a Reader role assignment for the Azure Function's system managed identity for the entire scope of your environment:
- Add or remove Azure role assignments using the Azure portal
- Add or remove Azure role assignments using Azure PowerShell
- Add or remove Azure role assignments using Azure CLI
Alternatively, if a Reader is too permissive you may create a custom RBAC role that includes read on private endpoints, network interfaces, and virtual machines. See this template for an example that may be deployed at the resource, resouce group, subscription, or management group scope.
The last step is to create the system topic Event Grid subscriptions in all the Azure Subscriptions you'd like to be handled by the Azure Function. As previously mentioned, you should consider including this template in a baseline Blueprint. Quickstart: Define and assign a blueprint in the portal
In order to deploy this template, you will need the Azure Function Resource Id from step #1 (which is output from the ARM template deployment).
In order to validate the setup is successful, create a Network Interface with a tag key matching the value supplied for the hostnameTagName parameter value. You should observe an A record added to the private DNS zone specified in the defaultPrivateDnsZone parameter value within a minute or two of successful NIC creation.
Delete the Network Interface and observe the A record is successfully removed.
You can also validate Private Endpoint functionality by creating a new Private Endpoint for one of the currently supported services. Upon successful Private Endpoint creation, you should observe an A record added to the private DNS zone aligned to the Azure service. For more information, please see: Azure Private Endpoint DNS Configuration
Deleting the Private Endpoint should result in the A record being removed from the private DNS zone.
This solution currently only supports the following Private Endpoints enabled Azure services:
- SQL DB (privatelink.database.windows.net)
- Azure Synapse Analytics (privatelink.database.windows.net)
- Storage Account / Blob (privatelink.blob.core.windows.net)
- Storage Account / Table (privatelink.table.core.windows.net)
- Storage Account / Queue (privatelink.queue.core.windows.net)
- Storage Account / File (privatelink.file.core.windows.net)
- Storage Account / Web (privatelink.web.core.windows.net)
- Data Lake File System Gen2 (privatelink.dfs.core.windows.net)
- Azure Cosmos DB / SQL (privatelink.documents.azure.com)
- Azure Cosmos DB / MongoDB (privatelink.mongo.cosmos.azure.com)
- Azure Cosmos DB / Cassandra (privatelink.cassandra.cosmos.azure.com)
- Azure Cosmos DB / Gremlin (privatelink.gremlin.cosmos.azure.com)
- Azure Cosmos DB / Table (privatelink.table.cosmos.azure.com)
- Azure Database for MySQL (privatelink.mysql.database.azure.com)
- Azure Database for MariaDB (privatelink.mariadb.database.azure.com)
- Azure Key Vault (privatelink.vaultcore.azure.net)
- Azure App Configuration (privatelink.azconfig.io)
- Azure Event Hub (privatelink.servicebus.windows.net)
- Azure Service Bus (privatelink.servicebus.windows.net)
- Azure Relay (privatelink.servicebus.windows.net)
- Azure WebApps (privatelink.azurewebsites.net)
- Azure Machine Learning (privatelink.api.azureml.ms)
Unsupported Private Endpoint enabled Azure Services:
- Azure Database for PostgreSQL (privatelink.postgres.database.azure.com)
- Azure Kubernetes Service - Kubernetes API (privatelink.{region}.azmk8s.io)
- Azure Search (privatelink.search.windows.net)
- Azure Container Registry (privatelink.azurecr.io)
- Azure Backup (privatelink.{region}.backup.windowsazure.com)
- Azure Event Grid / topic (privatelink.eventgrid.azure.net)
- Azure Event Grid / domain (privatelink.eventgrid.azure.net)
- Add outstanding Private Endpoint services.
- Remove private DNS entries when VMs are deallocated. Add DNS entries when VM is started.
Copyright 2020 Ryan Graham
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.