What is Azure Private DNS Zone Group?

Question

I am automating some process with Azure Private DNS Zone and Private Endpoint. I have encountered with Private DNS Zone Group resource. There is a Rest API for this resource, here . But I couldn't find any documentation on the internet explaining the function of it. Neither, I could find it on the portal.

Any idea about its function?

score 13 · Answer 1 · answered Feb 25 '22 at 13:53

Private DNS Zone Groups are a kind of link back to one or multiple Private DNS Zones. With this connection, an A-Record will automatically be created, updated or removed on the referenced Private DNS Zone depending on the Private Endpoint configuration.

This setting is analog to the following setting during manual creation in Azure Portal UI:

The account that adds the PrivateDNSZoneGroup needs to have the following permission on the Private DNS Zone:

Microsoft.Network/privateDnsZones/join/action

Example Scenario:

Hub and Spoke architecture. Hub has the Private DNS Zone for e.g. PostgreSQL Server with the name: privatelink.postgres.database.azure.com

Private Endpoints are created where the Service resides, e.g. a Spoke Subscription. The Private DNS Zone Group configuration on the Private Endpoint pointing to the Private DNS Zone in the Hub-Subscription.

With this setup, A-Records within the Private DNS Zone are maintained automatically.

With Azure DevOps, your Service Connection / Service Principal needs the following permission on the Private DNS Zones in the Hub, e.g. via a Custom Role: Microsoft.Network/privateDnsZones/join/action

An ARM template would look similar to this:

{
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2021-03-01",
"name": "[concat(parameters('privateEndpointName'),'/customdnsgroup')]",
"location": "[parameters('location')]",
"dependsOn": [
    "[parameters('privateEndpointName')]"
],
"properties": {
    "privateDnsZoneConfigs": [
        {
            "name": "exampleConfig",
            "properties": {
                "privateDnsZoneId": "[parameters('privateDnsZoneResourceId')]"
            }
        }
    ]
  }
}

Additional Note: For me it only worked properly when the name of the Private DNS Zone was set to the official privatelink-FQDN of the specified resource. Otherwise, the A-Record was not automatically created.

Additional References

Is it possible to review the group settings through Azure Portal? — Carl in 't Veld, Dec 11 '22 at 11:45

score 3 · Answer 2 · answered Nov 04 '21 at 10:25

Also interested in this as have recently come across it.

Appears that in a hub/spoke implementation it allows the private dns zones to be created once in hub e.g. privatelink.file.core.windows.net

The zone group configuration allows spoke accounts to register in this zone, rather that having privatelink.file.core.windows.net zone in each spoke account.

With this configuration all name resolution goes via central DNS lookup from hub. e.g. if your org is connecting from on-prem then you can resolve names for private endpoints in spoke accounts.

Not sure why this configuration is only exposed through API though.

score 1 · Answer 3 · answered Feb 10 '23 at 12:37

From Azure docs (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#private-dns-zone-group):

If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group is a strong association between the private DNS zone and the private endpoint that helps auto-updating the private DNS zone when there is an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated.

Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there is no need to write any additional CLI/PowerShell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group will be deleted as well.

A common scenario for DNS zone group is in a hub-and-spoke topology, where it allows the private DNS zones to be created only once in the hub and allows the spokes to register to it, rather than creating different zones in each spoke.

score -1 · Answer 4 · answered Nov 02 '21 at 13:10

-1

Azure Private DNS lets you handle name lookups in a private vnet or vwan, e.g. running mynetwork.local or something similar - tyipcally to let your servers and services discover and find each other.

This is in contrast to a public zone, which is available to the internet and matches a formal domain name registration.

You can find documentation here: https://learn.microsoft.com/en-us/azure/dns/private-dns-overview

answered Nov 02 '21 at 13:10

chrfrenning

124
2

1

i am mentionning about Azure DNS Zone Group not Azure DNS Zone. – MoonHorse Nov 02 '21 at 13:30

What is Azure Private DNS Zone Group?

4 Answers4