Azure DNS Private Resolver Usage — Verification with details 3/3

Recap of previous paper

Before reading, please following 1st and 2nd paper.
We have achieved
1. “Facilitating name resolution from an on-premise environment to a resource hosted within a Private Endpoint.”

2. “Enabling name resolution from a spoke client to an on-premise resource.”
Therefore, we have now implemented the architecture as depicted in the following image:

Architecture encampassing 1st and 2nd in Agenda

To finalise and further enhance the utility of this architecture, we are now proceeding to exclusively utilise Azure Firewall for our networking needs.

3. “Exploring Azure Firewall forwarding and outbound traffic restriction as an alternative approach to utilizing the Azure DNS Private Resolver Inbound Endpoint.

In this section, you have the option to substitute the Azure DNS Private Resolver inbound endpoint with Azure Firewall DNS functionality. This approach can be particularly useful in scenarios where you aim to consolidate firewall capabilities within the Hub virtual network for simplified management and cost reduction.

By configuring the Firewall as a forwarder and additionally implementing an Azure Firewall policy to control outbound traffic for Azure MySQL with a Private Endpoint, while also using Azure Firewall as the DNS forwarder in the on-premise VM, you can achieve enhanced network security and control.
I followed「Microsoft Azure Well-Architected Framework」in this workload.

Attention
By configuring the Firewall as a forwarder, you can control outbound traffic for Azure MySQL with a Private Endpoint using an Azure Firewall policy. Additionally, using Azure Firewall as the DNS forwarder in the on-premise VM can enhance network security and control.

However, please note that there are specific configurations and considerations to be aware of when implementing this setup. For instance, Azure Firewall filters traffic using either FQDN in network rules for TCP and UDP protocols or FQDN in application rules for HTTP, HTTPS, and MSSQL. It’s recommended to use application rules over network rules when inspecting traffic destined to private endpoints in order to maintain flow symmetry.

Our goal architecture is illustrated in the following image:

Figure 3.1: The Objective of 3rd section

I’ve highlighted the changes in red to make them easier to identify.

Prerequisites:

• Azure SQL: To conveniently monitor both inbound and outbound traffic. After creating the Azure Firewall resource
• AzureFirewallSubnet — 10.0.1.0/26
• IP: 10.0.14 You can configure Azure Firewall to act as a DNS forwarder using the settings illustrated in the following image:

Azure Firewall DNS setting

To enable Private Endpoint VNet traffic to pass through Azure Firewall, you should attach a “User Defined Route” to the Gateway Subnet within the Hub VNet.

User Defined route

Now let’s move forward to set Azure Firewall Policy to control traffic.

In Application rule:

Azure Firewall Policy: Application rule

In the On-premise DNS server, we will change the master server to be Azure Firewall(10.0.1.4):

Conditional Forwarder setting

Then in Client VM in on-premise server, run the following command:

nslookup mysqlfordnstest.database.windows.net

You can make sure that a name resolution has successfuly completed:

Result

Additionally, to verify the functionality of your Azure Firewall, you can utilise Log Analytics for monitoring purposes. In the Azure Firewall Diagnostic Setting, please ensure that you configure it according to the settings depicted in the following image:

Azure Firewall Diagnostic Setting

Attention
Please ensure that the peering from the Private Endpoint VNet to the Hub allows for “Use remote virtual network gateway or route server.”

In the On-premise DNS server I used Microsoft SQL Server Management Studio to monitor the network traffic flow.

Connect to SQL server

We have got a connection from Azure MySQL server via Azure Firewall.
To make sure this flow works as we expected, I open AzureFirewall/Logs to use Log Analytics:

Azure Firewall DNS Proxy Logs

Azure Firewall Application Rule Logs

By leveraging DNS within the Firewall, you can effectively route MySQL outbound traffic through the Firewall and collect Logs.

Wrap up

We have thoroughly examined the Azure DNS Private Resolver functionality and contemplated the possibility of substituting the inbound endpoint to optimise Azure resources in terms of cost and management efficiency. Additionally, we have successfully obtained logs from Azure Firewall to verify its role as a DNS forwarder and its effectiveness in restricting outbound traffic from private resources.

Thank you for taking the time to read this documentation. If you have any questions or require further clarification, I am here to assist you. Your feedback and suggestions are highly appreciated.