Score:0

Same DNS names, private ip-addresses used over multiple AZURE Corporate Accounts

cn flag

Looking at the below: enter image description here

Here we see a single AZURE Corporate Account X. See "azsql1.database.windows.net". You can access that from on-prem.

What if for arguments sake I had a second AZURE env. configured exactly the same - AZURE Corporate Account Y, with "azsql1.database.windows.net".

It's theoretical, but I would like to know how the on-prem reolves this if one tries to use "azsql1.database.windows.net" for a connection report in say, Tableau, Spotfire?

I presume that in some way you need to tell which DNS Forwarder to use in which AZURE Corporate Account.

So, forgive me, but I understand basic DNS resolution stuff with internet bla bla bla, but not a networking expert.

Score:2
in flag

For other readers with the same question: See also Address to be used to access private ipaddress for AZURE resource from on-premise for some background information.

Before I start to answer a small correction to your question, as you wrote "... same DNS name". I think this is a misunderstanding, as the Azure Cosmos DB is a fully managed service, means PaaS and as such has unique names. In other words, it is impossible that two Azure Cosmos DB services will have the same DNS name. Still, I don't want to correct that in the question, but prefer the reference as part of the answer, as this is indeed a common misunderstanding. It all boils down to the way the name resolution of a hybrid solution is architected.

Resolving such a scenario is easy, by using unique DNS names (which is not a problem as CosmosDB is SaaS and as such has unique names) and to make sure that all the resources can be resolved.

Brief Answer

For each of your subscriptions under corporate account connected to on-premise via ExpressRoute or VPN, configure a Azure private DNS and a DNS forwarder, which is deployed within the same subnet. A Hub connects everything, including on-premise.

Long Answer

Hypothetic example (mission definition)

How it works is better to explain using an example.

Given the hypothetic corporate "NKOTB INC" has 3 departments:

  • Finance
  • IT
  • Marketing

Each department operates 2 Azure subscriptions, one for development, the other for production workload. So we have to deal with at least six subscriptions in total, to meet the requirements.

The network-related requirements are the following:

  • Every subscription needs to have connectivity to on-premise.
  • Every subscription may or may not use resources which are deployed using private links.
  • Because of legal restrictions, all resources within all subscriptions are currently deployed within region "East US".
  • It is planned to extend the business, eventually using other regions. Hence, this should be considered in the planning.

Implementation approach

Using this scenario, you may end up with at least 7 subscriptions:

  • dev-finance
  • prd-finance
  • dev-it
  • prd-it
  • dev-marketing
  • prd-marketing
  • Hub which connects to on-premise via VPN or ExpressRoute.

All six subscriptions needs to deploy a Azure private DNS and a DNS forwarder. Furthermore, all of them using a VNET which is peered to the central Hub-subscription. So eventually you will end up with this seven internal DNS domains:

  • dev.finance.eastus.azure.nkotb
  • prd.finance.eastus.azure.nkotb
  • dev.it.eastus.azure.nkotb
  • prd.it.eastus.azure.nkotb
  • dev.marketing.eastus.azure.nkotb
  • prd.marketing.eastus.azure.nkotb
  • hub.eastus.azure.nkotb

NKOTB inc - high level network connectivity overview

The Hub-subscription has a second set of DNS servers and forwarders configured. Only this set of DNS servers is aware of the other seven DNS forwarders deployed in the other domains, and responsible for name resolution of the Domain "eastus.azure.nkotb". All on-premise DNS servers are configured to forward all DNS requests for *.eastus.azure.nkotb to this set of DNS servers.

Example 1: internal DNS between a subscription and on premise

Given the finance team decides to deploy a database named "Alzheimer" within the production subscription, using a private link. So the internal DNS name (FQDN) for this database would be alzheimer.prd.finance.eastus.azure.nkotb. Thanks to the internal name resolution which is aligned across all subscriptions and also on-prem, this name could be resolved everywhere within corporate network.

How Example 1 works

  • A random client located on-premise is asking the local DNS server there to resolve alzheimer.prd.finance.eastus.azure.nkotb.
  • The local DNS server does not know the answer, but is configured to forward all requests for *.eastus.azure.nkotb to the the DNS forwarder deployed within the Hub-subscription, so he does. This DNS server is reachable (network-wise), as on-premise is connected to this hub subscription via ExpressRoute/VPN.
  • The DNS forwarder deployed within the hub subscription does not know the answer, but is aware of the DNS forwarder which is deployed in the production finance subscription, so the request is forwarded in this direction. This DNS server is reachable (network-wise), as both subscriptions have peered VNET's.
  • The DNS server and forwarder deployed in prd.finance.eastus.azure.nkotb can resolve the IP address of the database, and sends the answer back in the chain.
  • The client located on-premise receives the answer.
  • Each follow-up DNS request (within the TTL of the record) will be answered immediately from the local DNS server, as the answer has been cached.

Example 2: internal DNS between 2 subscriptions

Given the marketing team decides to deploy a database named "Ballyhoo" within the dev subscription, so the internal DNS name would be ballyhoo.dev.marketing.eastus.azure.nkotb. As the other database deployed by finance, this database can be resolved as well from on-prem. But in this scenario, the IT team collects some data within the IT dev subscription, which should be stored using ballyhoo.dev.marketing.eastus.azure.nkotb database. So this scenario describes how a DNS record can be resolved within 2 subscriptions.

How Example 2 works

  • The data collection app deployed in dev-IT subscription asks the local DNS resolver deployed within the same VNET for IP address of ballyhoo.dev.marketing.eastus.azure.nkotb.
  • The local DNS server does not know the answer, but is configured to forward all requests to the the DNS forwarder deployed within the Hub-subscription, so he does. This DNS server is reachable (network-wise), as both subscriptions have peered VNET's.
  • The DNS forwarder deployed within the hub subscription does not know the answer, but is aware of the DNS forwarder which is deployed in the dev marketing subscription, so the request is forwarded in this direction. This DNS server is reachable (network-wise), as both subscriptions have peered VNET's.
  • The DNS server and forwarder deployed in dev.marketing.eastus.azure.nkotb can resolve the IP address of the database, and sends the answer back in the chain.
  • The data collection app receives the answer.
  • Each follow-up DNS request (within the TTL of the record) will be answered immediately from the local DNS server, as the answer has been cached.

Notes

Your business contact in Azure usually helps to plan such scenarios, so you don't have to work out everything yourself. There are other important aspects to consider during the planning process, but space does not allow them to be outlined here. Realization: It usually helps if the network team is included in the process from the very beginning.

In general, I highly recommend to use the free Microsoft Learn for Azure to build up the necessary knowledge and skills. For your questions, the following courses would be adequate:

thebluephantom avatar
cn flag
Why could there not be azsql1.database.windows.net under 2 different AZURE corporate accounts? @Lutz Willek
thebluephantom avatar
cn flag
I am not sure the question is then answered entirely, but good stuff.
in flag
@thebluephantom See the answer and also [Learn how to manage database accounts in Azure Cosmos DB](https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-manage-database-account#:~:text=The%20name%20can%20only%20contain,3%2D44%20characters%20in%20length.&text=Select%20Core%20(SQL)%20to%20create,type%20of%20account%20to%20create.). Using this example: Because `database.windows.net` is appended to the name that you provide to create your URI, it must be a unique name. The name can only contain lowercase letters, numbers, and the hyphen character. It must be between 3-44 characters in length.
thebluephantom avatar
cn flag
Somehow I think we are talking at cross purposes.
in flag
It may be that I failed to fully understand your question, or that my answer is incomprehensible to you. I am sorry for that. What particular aspect makes you think that we are talking about two different things? This insight could be helpful to refine the answer.
thebluephantom avatar
cn flag
Lutz: I have to say I have a few clues, but this cloud stuff is all networking in your face that others used to do. Fine, but the architect community I am in is finding it hard to follow. It probably is that it is just hard to explain. For example look at my other question https://serverfault.com/questions/1076703/azure-extend-an-on-premises-network-using-multiple-vpns-and-vpn-gateway I think I get it, but not from the docs. I am re-reading your answer this morning
thebluephantom avatar
cn flag
my question is really whta to indicate in the connection for a product like tableau or spotfire when running from on-premise and whereby you could have 2 AZURE Accounts (own AD). How to indicate in the connection of those products. Given that if there are 2 Corp Accounts, in the example, you could have same DB name. That's it.
br flag
No you can’t. If you create a cosmos db in subscription A called foodb, no one, in any other subscription, can create a cosmos db named foodb. The name must be unique globally. Same thing with storage accounts.
thebluephantom avatar
cn flag
I think I might have erred on thing: DNS name must be unique. Which makes sense.
thebluephantom avatar
cn flag
Good answer for sure, but I think CosmosDB is PaaS.
in flag
@thebluephantom right! has been corrected
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.