Get in touch
Cloud computing concept.Abstract cloud connection technology background.

Enabling Private DNS Zones with Internet Fallback

In this post, I’ll demonstrate how Private DNS Zones work with an Azure Storage Account and how a new feature, "Enable Fallback to Internet" might be of benefit. This may only be relevant to you, depending on your Azure environment and specific use case, but consider the following:

The Scenario:

Let’s set the scene by creating a new Blob Storage Account called myblogdemostgacct


Before creating any Private Endpoints, you can see the Blob Storage Account will resolve to a public IP address. This is the typical default behaviour for Storage Accounts and other various Azure services that can be publicly accessed.

E.g. The public IP returned is: 20.60.72.161



Once you add a new Private Endpoint (PE), you associate the PE with a Private Link DNS zone and link it to the Storage Account, then you will see a new CNAME alias added to the resource.

E.g. myblogdemostgacct.privatelink.blob.core.windows.net

Now, in the previous example, the IP address resolved is still public, as I’m resolving the storage account on a workstation that is using my Public Internet DNS servers, with no awareness of any Private DNS Zones.


But, if I resolve the storage account within my Azure environment where the Private DNS zone is linked on the same Virtual Network where my virtual machine resides, the storage account will resolve to a Private IP address. This is as intended, particularly if I want that virtual machine to access the storage account via its private IP address over Private Link.

E.g. 10.0.1.5


But what happens when you try to resolve this storage account within a different Azure environment, which also has a Private DNS Zone for privatelink.blob.core.windows.net but this Private DNS zone has no awareness of my newly created storage account and its private endpoint?

Uho, an NXDOMAIN result is observed, with no IP address (public or private) returned at all!


But let’s say I did want this second virtual machine to access the storage account on its public IP address? How can I make DNS work and allow a completely different Azure environment to resolve the storage account to its public IP address, so I can successfully connect to it?

Introducing Fallback to Internet

This is where a new setting that Microsoft recently made available comes into play. You can find this setting on your virtual network link settings within the desired Private DNS zone.

  • Select Virtual Network Links:
  • Then select “Enable fallback to internet”

After the enablement completes, you can then proceed to resolve the Storage Account again from your second virtual machine, and look at that, the public IP is now resolvable again, as the Private DNS zone is now able to fall back to the Internet for public DNS resolution:

Now, you might be asking yourself, why does this matter?

Let’s say you are attempting to access an external Azure Storage service hosted by one of your external partners or organisations that you interact with. The external partner also uses Private Endpoints within their environment and also has a Private DNS Zone called “privatelink.blob.core.windows.net”.

In addition to using private endpoints and private DNS zones in their own environment, they also whitelist public access to a certain storage services for selected external customers to access the storage account via its public IP.

This is where enabling Fallback to the internet would be useful on the Private DNS zone of the same name.

Conclusion

Understanding how Private DNS Zones work and leveraging the “Enable Fallback to Internet” feature can significantly enhance your Azure environment’s flexibility and resilience.

By enabling this feature, you ensure that your resources can still be accessed via their public IP addresses, when necessary, even if they are primarily configured to use private endpoints. This can be particularly beneficial in scenarios where you need to access external Azure services or when dealing with multiple Azure environments that may not have full awareness of each other’s private DNS configurations.

As you continue to explore and implement Private DNS Zones in your Azure setup, keep in mind the potential use cases and benefits of enabling fallback to the internet. This feature not only provides a backup solution for DNS resolution but also enhances the overall accessibility and reliability of your Azure resources.

Stay tuned for future blog posts where we will delve into other use cases and advanced configurations for Private DNS Zones in Azure.



Read more recent blogs

05c926e5-42da-4c0a-a881-ae344795ce3c

Is the .NET Ecosystem in Crisis?

feature_image (1)

DevOps and Azure IaC: Central Pipelines

Designer (4)

How to Create a Chat GPT Connector in Power Platform

View all blogs

Shape what’s next

Get in touch
1300 907 809
info@arinco.com.au info@arinco.co.nz

Level 5, 440 Collins Street, Melbourne VIC 3000

Level 2, 24 Campbell St,
Sydney NSW 2000

200 Adelaide St,
Brisbane QLD 4000

191 St Georges Terrace
Perth WA 6000

Level 1, 155 Fanshawe Street, Auckland 1010

Part of

Arinco trades as Arinco (VIC) Pty Ltd, Arinco (NSW/QLD) Pty Ltd and Arinco Ltd. © 2024 All Rights Reserved Arinco™ | Privacy Policy | Sustainability and Our Community
Arinco acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.

CONTACT US