Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Linking 'privatelink.analysis.windows.net' Private DNS Zone Breaks Microsoft PowerBI When Private Endpoints Not Used

Open dburlinson opened this issue 2 years ago • 5 comments

Describe the bug ALZ deployments currently create and link the following three private DNS zones for the Microsoft PowerBI service:

privatelink.analysis.windows.net privatelink.pbidedicated.windows.net privatelink.tip1.powerquery.microsoft.com

In a centralized hybrid DNS environment, this breaks the name resolution of the PowerBI service unless all the steps have been taken to enable private endpoint capability on the service as the DNS flows as follows:

app.powerbi.com app.privatelink.analysis.windows.net (Can't resolve)

When really, on a public network, if flows as follows:

app.powerbi.com app.privatelink.analysis.windows.net 997de1ee-c405-4364-8b90-eb6f601a6af2.trafficmanager.net app-pbi-wfe-australia-east-primary.pbi-wfe-australia-east-primary-ase.p.azurewebsites.net waws-prod-sy3-69a37625.sip.p.azurewebsites.windows.net

This problem is similar to https://github.com/Azure/Enterprise-Scale/issues/1017.

With other services, linking the Private Endpoint Private DNS zones is not an issue, but this zone causes unexpected behavior which is frustrating to customers and difficult to troubleshoot. Unless ALZ also implements PowerBI private endpoints, as detailed in https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-private-links, these DNS zones should either not be linked to the hub VNET or not created altogether.

Steps to reproduce

  1. Deploy ALZ
  2. Attempt to access via a web browser app.powerbi.com from a VM on a VNET virtual network linked to the "privatelink.analysis.windows.net" private dns zone.

Screenshots image

dburlinson avatar Oct 06 '23 07:10 dburlinson

Thanks @dburlinson for raising this, interested in @sitarant & @fguerri opinions and inputs here.

I suspect this behaviour for all zones if there are no A records in them for the target you are querying for as you'll get an NXDOMAIN response as the privatelink.xxxx zone is authoritative for whats being queried.

For example storage should behave the same from my understanding if trying to browse it from the VM that is in a vNet using the privatelink.xxxx DNS zones

jtracey93 avatar Oct 06 '23 08:10 jtracey93

Understand @jtracey93 but there are some Azure services which are likely to have private endpoints (App Service, Storage Accounts, etc.) and others which work a bit differently and are very unlikely to leverage them (PowerBI being one such service)

Will leave it with you and the team to decide if these zones should come out of ALZ or not...

dburlinson avatar Oct 11 '23 23:10 dburlinson

Surprised this has not bit more people.

I came across this issue for a rather large company last year, we broke Power BI for everyone for over 24 hours until I was notified.

I'm wondering what else is impacted by blindly applying this in a Hybrid environment with all of the forwarders.

mundayn avatar Nov 10 '23 22:11 mundayn

@rozkurt more complicated one to tackle. Please investigate.

Springstone avatar Dec 18 '23 14:12 Springstone

@Springstone seems that your recent update on "ALZ-Policies-FAQ" provides sufficient information on that issue. With that in mind, do you think if there is further action needed at this point or is it safe to close this one?

CC: @jtracey93

rozkurt avatar Jan 12 '24 13:01 rozkurt

@rozkurt @dburlinson please follow the guidance here: ALZ Policies FAQ. Closing this issue as this Private DNS Zone requires additional configuration to function correctly, and this isn't something the ALZ team can fix.

Springstone avatar Apr 29 '24 07:04 Springstone