Mastering Azure DNS Solutions - Part 2

As enterprises move more workloads into Azure, hybrid networking scenarios — where on-premises and cloud environments coexist — have become the norm. Reliable DNS name resolution across these environments is critical for application connectivity, security, and management.

Azure DNS Private Resolver was designed specifically to address this challenge, enabling seamless, secure DNS resolution between Azure and external environments — without deploying and managing your own DNS servers.

In this post, we’ll explore what Azure DNS Private Resolver is, its architecture, common use cases, and walk through how you can deploy it using both the Azure Portal and Bicep templates. A visual diagram will also help illustrate how DNS flows between environments.

What is Azure DNS Private Resolver?

Azure DNS Private Resolver is a fully managed, highly available service that allows you to:

Resolve DNS queries from Azure to external DNS servers (e.g., on-premises, third-party providers) via outbound endpoints and forwarding rules.
Accept DNS queries from on-premises networks into Azure to resolve private DNS zones hosted in Azure via inbound endpoints.

It essentially bridges Azure and external DNS infrastructures — without the need for self-hosted DNS forwarders, virtual appliances, or load balancers.

Core Architecture Components

Component	Purpose
Inbound Endpoints	Allow on-premises or external clients to query Azure Private DNS zones.
Outbound Endpoints	Enable Azure resources to forward DNS queries to on-premises or external DNS servers.
Forwarding Rules	Define domain-based rules to forward specific DNS queries to specific target servers.
Rulesets	Group multiple forwarding rules together for easier management and application across VNets.

Where is Azure DNS Private Resolver Most Useful?

Hybrid Cloud Environments: Connect DNS resolution between on-premises and Azure securely.
Custom DNS Scenarios: Integrate Azure workloads with third-party DNS providers (e.g., Infoblox, AWS Route53 Private Hosted Zones).
Simplified Management: Avoid running custom DNS virtual machines in Azure for forwarding or resolution.
Resilient Design: Azure manages high availability and scaling automatically.

Visualizing DNS Query Flows with Azure DNS Private Resolver

Here’s a simplified Mermaid architecture-beta diagram that illustrates how DNS queries flow using inbound and outbound endpoints:

flowchart TB subgraph OnPrem ["On-Premises Network"] Client["On-Prem Client (10.0.0.5)"] OnPremDNS["On-Prem DNS Server (10.0.0.2)"] end subgraph Azure ["Azure Virtual Network (VNet)"] VM1["Azure VM (10.1.0.4)"] PrivateDNS["Azure Private DNS Zone (internal.contoso.com)"] InboundEP["DNS Private Resolver - Inbound Endpoint"] OutboundEP["DNS Private Resolver - Outbound Endpoint"] end Client -- "Query: app.internal.contoso.com" --> InboundEP InboundEP -- "Resolves via Private DNS Zone" --> PrivateDNS VM1 -- "Query: contoso.com (external domain)" --> OutboundEP OutboundEP -- "Forwards query to On-Prem DNS" --> OnPremDNS OnPremDNS -- "Response" --> OutboundEP OutboundEP -- "Response" --> VM1

Deploying Azure DNS Private Resolver: Step-by-Step (Azure Portal)

Let’s walk through setting up a basic Private Resolver:

Step 1: Create DNS Private Resolver

Go to the Azure Portal.
Search for DNS Private Resolver and select + Create.
Fill out the basics:
- Resource Group: Choose or create a new one.
- Name: Example myDNSResolver
- Region: Must match your VNets.
Click Next.

Step 2: Create an Inbound Endpoint

Name: inbound-endpoint
VNet: Select your Virtual Network.
Subnet: Choose a dedicated subnet (must be empty, e.g., dns-inbound-subnet).

This will allow on-premises clients to resolve Azure-hosted private domains.

Step 3: Create an Outbound Endpoint

Name: outbound-endpoint
VNet: Select the same (or another) Virtual Network.
Subnet: Choose another dedicated subnet (e.g., dns-outbound-subnet).

This will allow Azure resources to forward queries to external DNS servers.

Step 4: Create Forwarding Ruleset

Create a ruleset that includes a forwarding rule:
- Domain name: e.g., corp.contoso.com
- Target DNS servers: e.g., 10.0.0.2 (on-premises DNS IP)
- Linked Outbound Endpoint: Select outbound-endpoint
- Linked Virtual Network: Select the VNet you want this rule to apply to.

Step 5: Review and Create

Validate and deploy.

Bicep Deployment Example

Here’s a Bicep template to deploy a basic DNS Private Resolver with inbound and outbound endpoints:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122


@description('Name of the DNS Private Resolver')
param resolverName string = 'myDNSResolver'

@description('Resource Deployment Location')
param location string = resourceGroup().location

@description('Virtual Network Name')
param virtualNetworkName string = 'MyVNet'

@description('Subnet IDs for Inbound and Outbound Endpoints')
param inboundSubnetName string = 'myDNSResolverInboundSubnet'

@description('Subnet IDs for Inbound and Outbound Endpoints')
param outboundSubnedName string = 'myDNSResolverOutboundSubnet'

@description('Name of the DNS Forwarding Ruleset')
param forwardingRulesetName string = 'myForwardingRuleset'

@description('Name of the DNS Forwarding Rule')
param forwardingRuleName string = 'myForwardingRule'

@description('Domain Name for the Forwarding Rule')
param DomainName string = 'corp.contoso.com.' //Requires a TRAILING .

@description('Target DNS Servers for the Forwarding Rule')
param targetDNS array = [
  {
    ipaddress: '10.0.0.4' //Ip Address of my Azure DNS Server
    port: 53 //UDP Port used for DNS queries
  }
]

@description('Name of the Virtual Network Link')
param resolvervnetlink string = 'myVNetLink'

// Get the existing Virtual Network resource
resource vnet 'Microsoft.Network/virtualNetworks@2024-05-01' existing = {
  name: virtualNetworkName
}

// Get the existing Virtual Network Inbound & Outbound Sunbets
resource inboundSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' existing = {
  name: inboundSubnetName
  parent: vnet
}

resource outboundSubnet 'Microsoft.Network/virtualNetworks/subnets@2024-05-01' existing = {
  name: outboundSubnedName
  parent: vnet
}

// Create a DNS Private Resolver
resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
  name: resolverName
  location: resourceGroup().location
  properties: {
    virtualNetwork: {
      id: vnet.id
    }
  }
}

// Create Inbound and Outbound Endpoints
resource inboundEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
  name: 'inbound-endpoint'
  parent: dnsResolver
  location: location
  properties: {
    ipConfigurations: [
      {
        subnet: {
          id: inboundSubnet.id
        }
      }
    ]
  }
}

resource outboundEndpoint 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = {
  name: 'outbound-endpoint'
  parent: dnsResolver
  location: location
  properties: {
    subnet: {
      id: outboundSubnet.id
    }
  }
}

// Create DNS Forwarding Ruleset
resource fwruleSet 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = {
  name: forwardingRulesetName
  location: location
  properties: {
    dnsResolverOutboundEndpoints: [
      {
        id: outboundEndpoint.id
      }
    ]
  }
}

// Create a Virtual Network Link for the Forwarding Ruleset
resource resolverLink 'Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks@2022-07-01' = {
  parent: fwruleSet
  name: resolvervnetlink
  properties: {
    virtualNetwork: {
      id: vnet.id
    }
  }
}

// Add a Rule to the Forwarding Ruleset
resource fwRules 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = {
  parent: fwruleSet
  name: forwardingRuleName
  properties: {
    domainName: DomainName
    targetDnsServers: targetDNS
  }
}

ℹ️

You would separately create the Forwarding Ruleset and Rules using additional resources or manual configuration.

Key Takeaways

Azure DNS Private Resolver is ideal for hybrid and multi-cloud name resolution.
Inbound Endpoints allow external systems to resolve Azure-hosted private zones.
Outbound Endpoints forward Azure DNS queries to external DNS servers based on rules.
Infrastructure as Code with Bicep makes deployments repeatable and scalable.