/
Importing Azure Private Zones as Read/Write Forward Zones
Document toolboxDocument toolbox

Importing Azure Private Zones as Read/Write Forward Zones

Owned by Sri Raghu
Last updated: Dec 26, 2024 by Shirly Tsang
2 min read

By importing Azure private zones as forward zones, you can bring existing DNS configurations into your own account in the Cloud Services Portal and have control over routing and management while ensuring changes made on those imported zones reflect back to their original source. Queries for domains added as forward zones will be forwarded by the NIOS-X Servers to an Azure private resolver endpoint for resolution, thus ensuring that the most up-to-date data is referenced.

The following diagram explains this feature:

 

Prerequisites

The following prerequisites need to be taken into consideration before importing Azure private zones:

  • At least one Azure private resolver inbound endpoint is configured. See Azure documentation for details.

  • The NIOS-X Server has a logical connection to the Azure subnet configured with the inbound resolver. This can be through virtual network peering or a VPN connection.

  • The DNS service is up and running on the NIOS-X Server.

  • The credentials used to synchronize zones and records in Universal DDI will need to include the following permission (in addition to the standard Universal DDI roles required):

    • Microsoft.Network/dnsResolvers/inboundEndpoints/read

Configure Universal DDI to import Azure private zones as forward zones

A zone is marked as private if the external_providers_metadata field, which contains information about the VPC/VNet associated with the zone, is present. If the field is absent, the zone is marked as public. In other words, if the VPC/VNet is not associated with the private zone, the zone is displayed as public on the Infoblox Portal.

Complete the following steps to import Azure private zones as forward zones:

  1. Go to Configure > Networking > Discovery > Cloud.

  2. Click click Create and select Azure.

  3. Configure the Azure cloud provider details as required. When creating the Azure provider in Universal DDI, make sure that the Forward Only Zone checkbox is selected. Please note that this is a mutable configuration, i.e. you can disable or enable Forward Only Zone on a created provider. Wait for zone and records to sync (provider status shows green / Synced).

  4. Go to the DNS view and edit the desired private zone and add the NIOS-X Server as an Authoritative DNS server.

To verify that the forward zone works, you can run a dig query using the NIOS-X Server as the DNS server:

# dig @oph_ip private_zone.example.com

This query will be forwarded to Azure private inbound endpoint and responded to with the proper resolution.