Initial commit.

Author: phealy

README.md

@@ -0,0 +1,66 @@
+# Azure Custom DNS with forwarders example
+
+This repository will help set up Azure DNS to function in a hub and spoke model with private DNS zones and use of on-premises DNS resolvers.
+
+- [DNS Forwarding Virtual Machine Scale Set](#dns-forwarding-vmss)
+- [Azure Policy for Custom DNS](#azure-policy-for-custom-dns)
+
+## DNS Forwarding VMSS
+This ARM template deploys a virtual machine scale set consisting of 3 Ubuntu 18.04 VMs with dnsmasq installed and configured. It is deployed in a stateless configuration, so the VMs can automatically patch and self-heal in the event of a failed instance.
+
+### Deployment instructions
+1. Modify parameters.json as appropriate for your environment
+    - `vmssName`: name of the scaleset
+    - <details>
+      <summary>
+      <code>vnetId</code>: the full resource ID of the virtual network to use
+      </summary>
+      <ul>
+      <li>via <a href="https://portal.azure.com/">Azure Portal</a>: found in the properties blade of the virtual network</li>
+      <li>via <a href="https://docs.microsoft.com/en-us/cli/azure/">Azure CLI</a>: <code>az network vnet show --resource-group rg-hub-network-centralus --name vnet-hub-centralus-001 --query id -o tsv</code></li>
+      <li>via <a href="https://docs.microsoft.com/en-us/powershell/azure/">Azure PowerShell</a>: <code>Get-AzVirtualNetwork -ResourceGroupName rg-hub-network-centralus -Name vnet-hub-centralus-001 | Select-Object -ExpandProperty Id</code></li>
+      </ul>
+      </details>
+    - `subnetName`: the name of the subnet
+    - `stgAcctName`: the name of the storage account to use for boot diagnostics
+    - `sshUser`: the username to use for admin access via SSH
+    - `sshKey`: the public key to assign to `sshUser`
+2. Modify customData.json to appropriately set up dnsmasq
+   - add `server=/domain/nameserverIP` lines for each domain you want to forward to on-premises (if you have multiple nameservers, use one line per nameserver)
+   - if you have multiple domains to forward to the same nameserver, you can use the format `server=/domain1/domain2/nameserverIP`
+   - leave the last server line intact to forward any non-matching queries to Azure DNS: `server=168.63.129.16`
+3. Deploy the template
+    - <details>
+      <summary>
+      Using Azure CLI
+      </summary>
+      <pre><code>az deployment group create \
+        --resource-group rg-hub-dnsfwd-centralus \
+        --template-file template-vmss.json \
+        --parameters @parameters.json \
+        --parameters customData=@customData.yaml</code></pre>
+      </details>
+    - <details>
+      <summary>
+      Using Azure PowerShell
+      </summary>
+      <pre><code>New-AzResourceGroupDeployment `
+        -ResourceGroupName rg-hub-dnsfwd-centralus `
+        -TemplateFile .\template-vmss.json `
+        -TemplateParameterFile .\parameters.json `
+        -customData $(Get-Content .\customData.yaml -Raw)</code></pre>
+      </details>
+
+## Azure Policy for Custom DNS
+
+The two policies contained in this repository are useful when setting up Custom DNS in a hub and spoke network.
+
+### [privateDNShubLinkPolicyDeployINE.json](azure-policy/privateDNShubLinkPolicyDeployINE.json)
+This policy will automatically deploy a link from any private DNS zones in scope to the hub vnet where your DNS forwarders are running if one does not already exist. This is critical for having your DNS servers able to resolve private DNS zones in a spoke virtual network.
+
+### [vnetDNSServersAppend.json](azure-policy/vnetDNSServersAppend.json)
+This policy will ensure that all virtual networks deployed have the DNS servers set to the values specified so that DNS lookups forward to on-premises and private DNS zones correctly.
+
+## On-premises DNS setup
+
+Also provided is [a script](ad-dns/Add-AzureDNSFowarderZones.ps1) that will forward all currently used Azure Private Link DNS domains from an on-premises Active Directory DNS server to the forwarders deployed above. If you create custom private DNS zones in Azure, you will need to set your forwarding up in the same way if you want them resolvable from on premises.

ad-dns-script/Add-AzureDNSFowarderZones.ps1

@@ -0,0 +1,19 @@
+[CmdletBinding()]
+param (
+    [Parameter()]
+    [String[]]
+    $DNSForwarderIPs
+)
+
+$AzureDomains = @('api.azureml.ms','azconfig.io','azmk8s.io','azure-automation.net','azurecr.io','azure-devices.net','azurewebsites.net','backup.windowsazure.com','blob.core.windows.net','cassandra.cosmos.azure.com','cognitiveservices.azure.com','database.windows.net','dfs.core.windows.net','documents.azure.com','eventgrid.azure.net','file.core.windows.net','gremlin.cosmos.azure.com','mariadb.database.azure.com','mongo.cosmos.azure.com','monitor.azure.com','mysql.database.azure.com','postgres.database.azure.com','queue.core.windows.net','search.windows.net','service.signalr.net','servicebus.windows.net','table.core.windows.net','table.cosmos.azure.com','vault.azure.net','vaultcore.azure.net','web.core.windows.net')
+$DNSForwarderZones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Forwarder" }
+
+$AzureDomains | ForEach-Object { 
+    if ($_ -in $DNSForwarderZones.ZoneName) {
+        Write-Host "Updating DNS forwarder zone ${_}..."
+        Set-DnsServerConditionalForwarderZone -Name $_ -MasterServers $DNSForwarderIPs
+    } else {
+        Write-Host "Adding DNS forwarder zone ${_}..."
+        Add-DnsServerConditionalForwarderZone -Name $_ -MasterServers $DNSForwarderIPs -ReplicationScope Forest
+    }
+}

azure-policy/privateDNShubLinkPolicyDeployINE.json

@@ -0,0 +1,90 @@
+{
+  "properties": {
+    "displayName": "Private DNS - deployINE virtual network link",
+    "policyType": "Custom",
+    "mode": "All",
+    "description": "Automatically create a link to a selected virtual network when a private DNS zone is created. This is useful when DNS zones need to be linked to a hub virtual network where DNS forwarders have been deployed.",
+    "parameters": {
+      "virtualNetworkLinkName": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Virtual Network Link Name",
+          "description": "The name of the virtual network link to create"
+        }
+      },
+      "targetVnet": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Target virtual network",
+          "description": "The target virtual network for Private DNS zone connections"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.Network/privateDnsZones"
+      },
+      "then": {
+        "effect": "deployIfNotExists",
+        "details": {
+          "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
+          "name": "[parameters('virtualNetworkLinkName')]",
+          "roleDefinitionIds": [
+            "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7"
+          ],
+          "existenceCondition": {
+            "field": "Microsoft.Network/privateDnsZones/virtualNetworkLinks/virtualNetwork.id",
+            "equals": "[parameters('targetVnet')]"
+          },
+          "deployment": {
+            "properties": {
+              "mode": "incremental",
+              "template": {
+                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "privateDNSZoneName": {
+                    "type": "string"
+                  },
+                  "virtualNetworkLinkName": {
+                    "type": "string"
+                  },
+                  "targetVnetId": {
+                    "type": "string"
+                  }
+                },
+                "resources": [
+                  {
+                    "name": "[concat(parameters('privateDNSZoneName'), '/', parameters('virtualNetworkLinkName'))]",
+                    "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
+                    "apiVersion": "2018-09-01",
+                    "tags": {},
+                    "location": "global",
+                    "properties": {
+                      "virtualNetwork": {
+                        "id": "[parameters('targetVnetId')]"
+                      },
+                      "registrationEnabled": false
+                    }
+                  }
+                ]
+              },
+              "parameters": {
+                "privateDNSZoneName": {
+                  "value": "[field('name')]"
+                },
+                "virtualNetworkLinkName": {
+                  "value": "[parameters('virtualNetworkLinkName')]"
+                },
+                "targetVnetId": {
+                  "value": "[parameters('targetVnet')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

azure-policy/vnetDNSServersAppend.json

@@ -0,0 +1,56 @@
+{
+  "properties": {
+    "displayName": "Custom DNS management - set Virtual Network DNS servers",
+    "policyType": "Custom",
+    "mode": "All",
+    "description": "Custom DNS servers must be set to the AD DC IPs.",
+    "parameters": {
+      "customDNSServers": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Custom DNS servers",
+          "description": "The list of required custom DNS servers."
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Network/virtualNetworks"
+          },
+          {
+            "anyOf": [
+              {
+                "count": {
+                  "field": "Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]"
+                },
+                "notEquals": "[length(parameters('customDNSServers'))]"
+              },
+              {
+                "count": {
+                  "field": "Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]",
+                  "where": {
+                    "field": "Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]",
+                    "in": "[parameters('customDNSServers')]"
+                  }
+                },
+                "notEquals": "[length(field('Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers[*]'))]"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "append",
+        "details": [
+          {
+            "field": "Microsoft.Network/virtualNetworks/dhcpOptions.dnsServers",
+            "value": "[parameters('customDNSServers')]"
+          }
+        ]
+      }
+    }
+  }
+}

vmss-dnsfwd/customData.yaml

@@ -0,0 +1,15 @@
+#cloud-config
+package_update: true
+packages:
+- dnsmasq
+write_files:
+- path: /etc/dnsmasq.conf
+  content: |
+    no-resolv
+    server=/mydomain.com/1.2.3.4
+    server=/mydomain.com/1.2.3.5
+    server=168.63.129.16
+runcmd:
+- [ systemctl, daemon-reload ]
+- [ systemctl, enable, dnsmasq.service ]
+- [ systemctl, start, --no-block, dnsmasq.service ]

vmss-dnsfwd/deployCommand

@@ -0,0 +1,5 @@
+az deployment group create \
+  --resource-group rg-hub-dnsfwd-centralus \
+  --template-file template-vmss.json \
+  --parameters @parameters.json \
+  --parameters customData=@customData.yaml

vmss-dnsfwd/parameters.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vmssName": {
+      "value": "vmss-dnsfwd-centralus-001"
+    },
+    "vnetId": {
+      "value": "/subscriptions/69924db1-a0fe-43f6-b1ad-86bb3248f4a1/resourceGroups/rg-hub-network-centralus/providers/Microsoft.Network/virtualNetworks/vnet-hub-centralus-001"
+    },
+    "subnetName": {
+      "value": "snet-dnsfwd-centralus-001"
+    },
+    "stgAcctName": {
+      "value": "pahealyhublogs"
+    },
+    "sshUser": {
+      "value": "azureuser"
+    },
+    "sshKey": {
+      "value": ""
+    }
+  }
+}

vmss-dnsfwd/template-vmss.json

@@ -0,0 +1,171 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vmssName": {
+      "metadata": { "description": "Name of the virtual machine scale set" },
+      "type": "String"
+    },
+    "vnetId": {
+      "metadata": { "description": "Resource ID of the virtual network to deploy into" },
+      "type": "String"
+    },
+    "subnetName": {
+      "metadata": { "description": "Name of the subnet to use" },
+      "type": "String"
+    },
+    "stgAcctName": {
+      "metadata": { "description": "Name of the storage account to use for boot diagnostics" },
+      "type": "String"
+    },
+    "sshUser": {
+      "defaultValue": "azureuser",
+      "metadata": { "description": "SSH admin username" },
+      "type": "string"
+    },
+    "sshKey": {
+      "metadata": { "description": "SSH public key for admin access" },
+      "type": "String"
+    },
+    "customData": {
+      "metadata": { "description": "The custom-data.yaml file to use at build time" },
+      "type": "String"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "apiVersion": "2019-07-01",
+      "name": "[parameters('vmssName')]",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard_B1s",
+        "tier": "Standard",
+        "capacity": 3
+      },
+      "zones": [
+        "1",
+        "2",
+        "3"
+      ],
+      "properties": {
+        "singlePlacementGroup": false,
+        "upgradePolicy": {
+          "mode": "Automatic",
+          "rollingUpgradePolicy": {
+            "maxBatchInstancePercent": 20,
+            "maxUnhealthyInstancePercent": 20,
+            "maxUnhealthyUpgradedInstancePercent": 20,
+            "pauseTimeBetweenBatches": "PT0S"
+          },
+          "automaticOSUpgradePolicy": {
+            "enableAutomaticOSUpgrade": true,
+            "disableAutomaticRollback": false
+          }
+        },
+        "scaleInPolicy": {
+          "rules": [
+            "Default"
+          ]
+        },
+        "virtualMachineProfile": {
+          "osProfile": {
+            "computerNamePrefix": "dnsfwd-",
+            "customdata": "[base64(parameters('customData'))]",
+            "adminUsername": "[parameters('sshUser')]",
+            "linuxConfiguration": {
+              "disablePasswordAuthentication": true,
+              "ssh": {
+                "publicKeys": [
+                  {
+                    "path": "[concat('/home/',parameters('sshUser'),'/.ssh/authorized_keys')]",
+                    "keyData": "[parameters('sshKey')]"
+                  }
+                ]
+              },
+              "provisionVMAgent": true
+            },
+            "secrets": []
+          },
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite",
+              "managedDisk": {
+                "storageAccountType": "Premium_LRS"
+              },
+              "diskSizeGB": 30
+            },
+            "imageReference": {
+              "publisher": "Canonical",
+              "offer": "UbuntuServer",
+              "sku": "18.04-LTS",
+              "version": "latest"
+            }
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "[concat(parameters('vmssName'), '-nic')]",
+                "properties": {
+                  "primary": true,
+                  "enableAcceleratedNetworking": false,
+                  "dnsSettings": {
+                    "dnsServers": []
+                  },
+                  "enableIPForwarding": false,
+                  "ipConfigurations": [
+                    {
+                      "name": "[concat(parameters('vmssName'), '-nic-defaultIpConfiguration')]",
+                      "properties": {
+                        "primary": true,
+                        "subnet": {
+                          "id": "[concat(parameters('vnetId'), '/subnets/', parameters('subNetName'))]"
+                        },
+                        "privateIPAddressVersion": "IPv4",
+                        "loadBalancerBackendAddressPools": []
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          "diagnosticsProfile": {
+            "bootDiagnostics": {
+              "enabled": true,
+              "storageUri": "[concat('https://', parameters('stgAcctName'), '.blob.core.windows.net/')]"
+            }
+          },
+          "extensionProfile": {
+            "extensions": [
+              {
+                "name": "HealthExtension",
+                "properties": {
+                  "autoUpgradeMinorVersion": false,
+                  "publisher": "Microsoft.ManagedServices",
+                  "type": "ApplicationHealthLinux",
+                  "typeHandlerVersion": "1.0",
+                  "settings": {
+                    "protocol": "tcp",
+                    "port": 53
+                  }
+                }
+              }
+            ]
+          },
+          "priority": "Regular"
+        },
+        "overprovision": true,
+        "doNotRunExtensionsOnOverprovisionedVMs": false,
+        "zoneBalance": false,
+        "platformFaultDomainCount": 1,
+        "automaticRepairsPolicy": {
+          "enabled": false,
+          "gracePeriod": "PT30M"
+        }
+      }
+    }
+  ]
+}