Last active
August 11, 2022 15:42
-
-
Save liamfoneill/f78698854d5dd23a9e6ab08ff044f38a to your computer and use it in GitHub Desktop.
Creates Azure Private DNS Zones for all of the Azure PaaS Services that (currently) support Private Endpoints. NOTE: For some services, like AKS the DNS Zones need to be regionalised so you will need 1 zone for each region. I have included North and West Europe as examples. If you are using DNS Servers to resolve these records you will also need…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_resource_group" "dnsprivatezones" { | |
| name = "connectivity-dnsprivatezones-001" | |
| location = "West Europe" | |
| tags = { | |
| "Usage" = "Azure Private DNS Zones for Private Endpoints" | |
| } | |
| } | |
| resource "azurerm_private_dns_zone" "azureautomation" { | |
| name = "privatelink.azure-automation.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "sqldatabase" { | |
| name = "privatelink.database.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "blobstorage" { | |
| name = "privatelink.blob.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "tablestorage" { | |
| name = "privatelink.table.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "queuestorage" { | |
| name = "privatelink.queue.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "filestorage" { | |
| name = "privatelink.file.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "storageaccount" { | |
| name = "privatelink.web.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "datalakegen2storage" { | |
| name = "privatelink.dfs.core.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cosmosdb_sql" { | |
| name = "privatelink.documents.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cosmosdb_mongodb" { | |
| name = "privatelink.mongo.cosmos.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cosmosdb_cassandradb" { | |
| name = "privatelink.cassandra.cosmos.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cosmosdb_gremlindb" { | |
| name = "privatelink.gremlin.cosmos.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cosmosdb_table" { | |
| name = "privatelink.table.cosmos.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "postgresql" { | |
| name = "privatelink.postgres.database.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "mysql" { | |
| name = "privatelink.mysql.database.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "mariadb" { | |
| name = "privatelink.mariadb.database.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "keyvault" { | |
| name = "privatelink.vaultcore.azure.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "search" { | |
| name = "privatelink.search.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "container_registry" { | |
| name = "privatelink.azurecr.io" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "app_configuration" { | |
| name = "privatelink.azconfig.io" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "servicebus" { | |
| name = "privatelink.servicebus.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "iothub" { | |
| name = "privatelink.azure-devices.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "eventgrid" { | |
| name = "privatelink.eventgrid.azure.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "appservices" { | |
| name = "privatelink.azurewebsites.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "azure_machine_learning" { | |
| name = "privatelink.api.azureml.ms" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "databricks" { | |
| name = "privatelink.notebooks.azure.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "signalR" { | |
| name = "privatelink.service.signalr.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "cognitiveservices" { | |
| name = "privatelink.cognitiveservices.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "azure_file_sync" { | |
| name = "privatelink.afs.azure.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "datafactory" { | |
| name = "privatelink.datafactory.azure.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "datafactory_portal" { | |
| name = "privatelink.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "redis" { | |
| name = "privatelink.redis.cache.windows.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "monitor_1" { | |
| name = "privatelink.monitor.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "monitor_2" { | |
| name = "privatelink.oms.opinsights.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "monitor_3" { | |
| name = "privatelink.ods.opinsights.azure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "monitor_4" { | |
| name = "privatelink.agentsvc.azure-automation.net" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "azurebackup_westeurope" { | |
| name = "privatelink.westeurope.backup.windowsazure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "azurebackup_northeurope" { | |
| name = "privatelink.northeurope.backup.windowsazure.com" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "aks_westeurope" { | |
| name = "privatelink.westeurope.azmk8s.io" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } | |
| resource "azurerm_private_dns_zone" "aks_northeurope" { | |
| name = "privatelink.northeurope.azmk8s.io" | |
| resource_group_name = azurerm_resource_group.dnsprivatezones.name | |
| } |
Nice!
We took a slightly different approach on the basis that new Private Endpoint DNS zones may be introduced later.
We wrote an ADO Pipeline that executes a PowerShell script to scrape the DNZ zones from https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns(!) into some JSON, and then pushes that into some Terraform that loops through to create any missing Private DNS zones (and assumes some specific regional zones where required). This runs on a schedule and has mostly worked so far.
It's a bit brittle as it depends on an expected structure of the page; it would be nicer if we could interrogate the Azure management API to discover the services that support Private Endpoints.
How do you get the aks resources, for example, to use the private DNS zone you created for AKS in this scenario vs the default of AKS creating a random private DNS zone per AKS instance?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Nice work!