Identify Azure Private DNS Zone entry for Azure Database for PostgreSQL flexible server

Question

I set up an Azure Database for PostgreSQL flexible server instance with private access (VNet Integration). It is mandatory to provide a Private DNS Zone which I did. After successfully creating the instance you can find a record inside that Private DNS Zone with a (generated?) name like a13af2aa1234that points to the private IP of the instance.

Is there a link like This record name belongs to this PostgreSQL instance name that reveals the correlation?

I don't get it why it seems to be generated as the PostgresSQL instance name itself already must be unique (as they prepend that name to postgres.database.azure.com as DNS name).

Edit: If I add a second instance I have two entries in the private DNS zone.

How do I know which record belongs to which instance?

score 0 · Answer 1 · answered Jan 30 '23 at 07:49

0

Is there a link like This record name belongs to this PostgreSQL instance name*?

Yes, its interrelated to Vnet and DNS zone integration where we allow the traffic.

enter image description here

Vnet subnet range. enter image description here

When Private DNS zone integration is required to connect to your Flexible Server in virtual network using server name (fully qualified domain name). The DNS records for the server name will be updated automatically in case the IP address of your Flexible Server changes. Learn more

Replicated the same scenario enter image description here

enter image description here

refer this tutorial for more information.

answered Jan 30 '23 at 07:49

Swarna Anipindi

792
2
9

Thanks for the detailed answer but it does not answer my question. If I add a second instance of Azure Database for PostgreSQL flexible server I will get a second entry in the private DNS zone. Now I have two entries with a random record name and I do not know which of these belongs to which instance. – cmoetzing Jan 30 '23 at 08:44
1

both entries under DNS zone relates to subnet IP ranges of Vnet. One entry will be created by the time of DNS Zone creation, another one if we add manually new IP address will be populated with respect to the subnet IP ranges. see this https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/dns-configuration-patterns-for-azure-database-for-postgresql/ba-p/2560287 – Swarna Anipindi Jan 30 '23 at 09:02
_both entries under DNS zone relates to subnet IP ranges of Vnet_ **yes** _One entry will be created by the time of DNS Zone creation, another one if we add manually new IP address will be populated with respect to the subnet IP ranges_ **no**: I create the Private DNS Zone manually. Then I create two instance of Postgres pointing to that manually created zone. Now I will get two records with random names. Each record has the IP of **one** of the instances. The questions always was: which record belongs to which instance. – cmoetzing Jan 30 '23 at 10:32
use this command in powershell to verify which Ip it was consuming. "Test-NetConnection -ComputerName <*****postgres.database.azure.com>" It's already mentioned in above mentioned link under "Access from another VNET using peering." – Swarna Anipindi Jan 30 '23 at 10:46
I appreciate your creativity @SwarnaAnipindi but this does not answer my question. I am looking for link between the record and the instance on a configuration level. Like an App Service App knows to which App Service Plan it belongs by providing a link in the console overview. I do not use Windows, so PowerShell is not an option and going through the DNS is a technical way (matching the IP to the record). I want to stay on configuration level. The answer may well be _Does not exist_ – cmoetzing Jan 30 '23 at 12:26
1

refer this tutorial https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking#private-access-vnet-integration An A record (Address Record) points a domain or subdomain to an IP address. For example, an A Record is used to point a logical domain name, such as "google.com," to the IP address of Google's hosting server, 74.125.224.147. Refer this for in detail https://www.bluehost.com/help/article/dns-records-explained. – Feb 01 '23 at 06:04

acm073 · Answer 2 · 2023-06-07T06:24:17.267

The link you are looking for can actually be found in Azure DNS.

You are never supposed to use the cryptic hex DNS names in your private DNS zone. Instead, use the FQDN of your database as shown in the portal or with az cli.

Assume you have an Azure PostgreSQL Flexible Server my-server in resource group example, and your private Azure DNS zone is my-zone.postgres.database.azure.com

Run

 % az postgres flexible-server show -n my-server  -g example -o json --query 'fullyQualifiedDomainName'
"my-server.postgres.database.azure.com"

to get the FQDN.

Note: nowhere in the output of az postgres flexible-server show you are going to find that hex-gibberish DNS name that was created in your private zone.

However, if you lookup your flexible server FQDN, for example with the host command, you will find that it is an alias for the entry in your private DNS zone.

# host my-server.postgres.database.azure.com
my-server.postgres.database.azure.com is an alias for de12af34.my-zone.postgres.database.azure.com.
de12af34.my-zone.postgres.database.azure.com has address 10.10.0.4

So here's the link between your flexible server an the cryptic DNS entry in your private zone. But the best thing is, you don't really need to worry about this link. Just use your flexible server's FQDN and you're set.

NOTE: when using PostgreSQL flexible servers with delegated VNETs and private DNS zones, the FQDN can only be looked up from within Azure.

Everthing else in Azure has neat connections in the state stored in CLI/Terraform. I consider the DNS records resources that where created based on the commands. So I wonder: why is there no configurational connection? As you already mentioned I need DNS name resolution in place where I really don't need it in my opinion. — cmoetzing, Jul 19 '23 at 18:52
And it is not discoverable through Azure web portal. I always need additional tools. — cmoetzing, Jul 19 '23 at 18:55

score 0 · Answer 3 · answered Aug 27 '23 at 20:53

It seems that when the PostgreSQL Flexible server is created within a virtual network with a private DNS zone, the "server name" that you can see in the Azure portal will respond with the private IP.

tldr: just use the {server_name}.postgres.database.azure.com name and it will resolve to the private IP of the private DNS zone.

What happens in practice is that the above name has an NS record that points to the "hex" private zone record:

> dig {server_name}.postgres.database.azure.com NS +short
e4f33bc2df77.{server_name}.private.postgres.database.azure.com.

Resolving the domain (the one without private in it) leads you to the "hex" domain with a CNAME and then to the actual IP address.

> dig {server_name}.postgres.database.azure.com

...

;; ANSWER SECTION:
{server_name}.postgres.database.azure.com. 26 IN CNAME e4f33bc2df77.{server_name}.private.postgres.database.azure.com.
e4f33bc2df77.{server_name}.private.postgres.database.azure.com. 26 IN A 10.0.1.4

...

If this is documented somewhere, I don't know where that is, though.

Identify Azure Private DNS Zone entry for Azure Database for PostgreSQL flexible server

3 Answers3