Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - Add Azure DNS Private Resolver

Open DevSecNinja opened this issue 3 years ago • 3 comments

Describe the solution you'd like

Microsoft recently GA'ed the Azure DNS Private Resolver service: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview. I would like to see this service as part of the Azure Landing Zone Architecture and as part of the Terraform Enterprise Scale module: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale.

Is that on the roadmap?

Thank you.

DevSecNinja avatar Nov 04 '22 08:11 DevSecNinja

Hey @DevSecNinja,

Thanks for raising this. It is indeed on our internal backlog (ADO WIT # 17235) image

Could you expand on what you would like to see configurable and set as defaults in the portal accelerator, Terraform & Bicep implementations? This will help us shape the work to deliver what is really wanted from our customers 👍

Thanks

Jack

jtracey93 avatar Nov 04 '22 09:11 jtracey93

Thanks @jtracey93 for the swift reply! Sure, let me suggest a few things:

  • For lab environments (e.g. users with Visual Studio Enterprise subscriptions), the service is a bit expensive. Therefore, I suggest having it disabled by default with an option to easily enable it on hubs. In terms of the Terraform ALZ module, the configuration could be similar to the Azure Firewall that can be deployed on the hub.
  • As a minimal configuration, an inbound DNS resolver endpoint should be defined with a subnet on the hub that needs to be provided. (Subnet should be created by the configuration based on the address prefixes defined by the user)
  • MVP features: creation of Azure DNS Private Resolver, inbound endpoints and outbound endpoints. Rulesets and network links can be added later.

Example Terraform config:

# Configure the connectivity resources settings.
locals {
  configure_connectivity_resources = {
    settings = {
      hub_networks = [
        {
          enabled = true
          config = {
            ...
            virtual_network_gateway = {
              ...
            }
            azure_firewall = {
              ...
            }
            azure_dns_private_resolver = {
              enabled = false
              config = {
                # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_inbound_endpoint
                inbound_endpoints = [
                  {
                    name                          = "Test"
                    address_prefixes              = []
                    private_ip_allocation_method  = "Dynamic" # Only dynamic is allowed atm
                  }
                ]
                # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_resolver_outbound_endpoint
                outbound_endpoints = [
                  {
                    name                          = "Test"
                    subnet_id                     = ""
                  }
                ]
              }
            }
          }
        }
      ]
    }

    location = "westeurope"
    tags     = null
  }
}

Curious to hear your thoughts. Hope this helps!

DevSecNinja avatar Nov 04 '22 10:11 DevSecNinja

Thanks this does indeed help and will help share the feature when we get to it in the coming months.

Thanks

Jack

cc: @krowlandson, @matt-FFFFFF, @JefferyMitchell for visibility when we get to the feature in the coming months

jtracey93 avatar Nov 04 '22 11:11 jtracey93