Multi-Tenant Private DNS Zone Management for Consistent DNS Name Resolution

Omer Cohen 65 Reputation points
2024-12-16T15:20:32.4633333+00:00

Current workflow

I'm hosting a platform where multiple consumers can share a single subscription and resource-group. user-facing API accepts a DNS name from consumers and in return creates a private DNS zone and a record, which is mapped to the private-IP of the private-endpoint deployed in the consumer's VNet. The goal is to create the DNS zone and record in a manner that conserves the DNS name. e.g. for the input of lambda.amazonaws.com, a private DNS zone: amazonaws.com and an A type record: lambda, mapped to the private-endpoint IP, will be created.

Demonstration of Issue

Assuming a consumer's request with the DNS name: lambda.amazonaws.com led to creation of the following resources:

  • Private-endpoint with private IP: 10.0.0.5 in the consumer's VNet.
  • Private DNS zone: amazonaws.com.
  • Record type A: lambda, mapped to private-endpoint IP.

A subsequent consumer (using the same resource group and subscription) provides an identical DNS name of the same service (lambda.amazonaws.com), however, the IP resolved by Azure (10.0.0.5) is most likely different than its own private-endpoint IP, due to existing private DNS zone: amazonaws.com.

Non-Compatible Approaches

  • Linking the second consumer's VNet to an existing private DNS zone will map the service to an unused private IP-address (from this consumer's standpoint), since the record name (lambda) is already taken and mapped to the private IP-address of another consumer's private-endpoint.
  • Private DNS zones' names are unique within the resource group, so a dedicated Private-DNS zone with the same domain name can't be created and linked to a consumer's VNet.
  • Creating private DNS zones with a name-scheme involving the VNet name is altering the resulting DNS name, e.g. private DNS zone of vnet-name-amazonaws.com with a record of lambda will result in the DNS name of lambda.vnet-name-amazonaws.com, altering the provided DNS name of: lambda.amazonaws.com.

I will appreciate your expertise with the matter,
Omer.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
714 questions
{count} votes

Accepted answer
  1. Ganesh Patapati 2,825 Reputation points Microsoft Vendor
    2024-12-19T22:48:40.5066667+00:00

    Hello Omer Cohen

    We appreciate your Patience!

    It seems like you're dealing with a complex scenario involving multiple consumers using the same DNS name but needing different private endpoint IPs.

    For example, suppose you have already created an A record 'www' in the zone 'contoso.com', pointing to the IP address '10.10.1.5' (the first record shown previously). To create the second record, you would add that record to the existing record set, rather than create an additional record set.

    The DNS standards don't permit multiple records with the same name for these types; therefore, these record sets can only contain a single record.

    NOTE: The Private DNS Zone is intentionally designed to function this way.

    As this something which is not supported. We encourage customers to create a feedback item for this request on the feedback forum

    Link: https://feedback.azure.com/d365community

    So that the Product team can prioritize your request.


    Hope this clarifies!

    If you have any further questions or need additional assistance in refining this approach, please let me know!

    If above is unclear and/or you are unsure about something add a comment below.

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Ganesh

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.