We are pleased to announce the public preview of DNS Private Zones in all Azure Public cloud regions. This capability provides secure and reliable name resolution for your virtual networks in Azure. Private Zones was announced as a managed preview in fall of last year.
No more custom DNS server burden
Private Zones obviates the need to setup and manage custom DNS servers. You can bring DNS zones to your virtual network as you lift-and-shift applications to the Azure cloud, or if you are building Cloud-Native applications. You also have the flexibility to use custom domain names, such as your company’s domain name.
Name resolution across virtual networks and across regions
Private zones provide name resolution both within a virtual network and across virtual networks. You can have private zones not only span across virtual networks in the same region, but also across regions and subscriptions. This feature is available in all Azure Public cloud regions.
You can configure zones with a split-horizon view, allowing for a private and a public DNS zone to share the same name. This is a common scenario when you want to validate your workloads in a local test environment, before rolling out in production for broader consumption. To realize this scenario, simply configure the same DNS zone as both a public zone and private zone in Azure DNS. Now for clients in a virtual network attached to the zone, Azure will return the DNS response from the private zone, and for clients on the internet, Azure will return the DNS response from the public zone. Since name resolution is confined to configured virtual networks, you can prevent DNS exfiltration.
Dynamic DNS Registration
We are introducing two concepts to DNS zones with this update; Registration virtual networks and Resolution virtual networks. When you designate a virtual network as a Registration virtual network at the time of creating a private zone or later when you update the zone, Azure will dynamically register DNS A records in the private zone for the virtual machines within this virtual network and will keep track of virtual machine additions or removals within the virtual network to keep your private zone updated. This is without any work on your part.
You can also designate up to 10 virtual networks as Resolution virtual networks when creating or updating a private zone. Forward DNS queries will resolve against the private zone records from any of these virtual networks. There is no dependency or requirement that the virtual networks be peered for DNS resolution to work across virtual networks.
Azure DNS Private Zones also supports Reverse DNS queries for the private IP address space of the Registration virtual network.
Familiar Zone and record management
Private zone and record management is done using the same Azure DNS REST APIs, SDKs, PowerShell and CLI as for regular (Public) DNS zones. Portal support will soon follow.
We can’t wait for you to try out this capability! For more details please refer to our overview as well as some common scenarios that can be realized using this feature. You can also refer to our documentation on creating and managing private zones using PowerShell and Azure CLI. Please review our public FAQ for answers to the most frequent questions related to this feature.
As always, we love getting your feedback. You can submit your suggestions and feedback for this feature as well as future scenarios on our user voice channel. And stay tuned for more interesting updates in this space from Azure DNS!