Hi I am currently trying to build https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/baseline-zone-redundant in terraform but i keep running on this problem where the application gateway can’t resolve the private dns name of the private endpoint.
the nsgs are not the problem since the I opened all there ports for debugging purposes.
I tried creating a private dns a record or adding a dns resolver but it didn’t work
#* Network
resource "azurerm_virtual_network" "the_network" {
name = module.naming.virtual_network.name
location = local.location
resource_group_name = azurerm_resource_group.the_group.name
address_space = [local.vnet_prefixe]
tags = {
environment = "${terraform.workspace}"
}
}
#* Subnets
resource "azurerm_subnet" "Application_Gateway_Subnet" {
name = "Application_Gateway_Subnet"
resource_group_name = azurerm_resource_group.the_group.name
virtual_network_name = azurerm_virtual_network.the_network.name
address_prefixes = [local.gateway_subnet_prefix]
}
resource "azurerm_subnet" "app_service_integration_subnet" {
name = "app_service_integration_subnet"
resource_group_name = azurerm_resource_group.the_group.name
virtual_network_name = azurerm_virtual_network.the_network.name
address_prefixes = [local.app_service_integration_subnet_prefix]
delegation {
name = "webapp"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_subnet" "private_endpoints_subnet" {
name = "private_endpoints_subnet"
resource_group_name = azurerm_resource_group.the_group.name
virtual_network_name = azurerm_virtual_network.the_network.name
address_prefixes = [local.private_endpoints_subnet_prefix]
service_endpoints = ["Microsoft.Web"]
}
resource "azurerm_application_gateway" "network" {
name = module.naming.application_gateway.name
resource_group_name = azurerm_resource_group.the_group.name
location = local.location
sku {
name = "Standard_v2"
tier = "Standard_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.Application_Gateway_Subnet.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.the_public_ip.id
}
backend_address_pool {
name = local.backend_address_pool_name
fqdns = [module.the_web_app.endpoint_fqdn]
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
path = "/*"
port = 80
protocol = "Http"
request_timeout = 60
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
request_routing_rule {
name = local.request_routing_rule_name
priority = 9
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
}
resource "azurerm_service_plan" "the_plan" {
name = module.naming.app_service_plan.name
resource_group_name = var.resource_group_name
location = var.location
os_type = "Linux"
sku_name = "P1v2"
}
resource "azurerm_linux_web_app" "the_app" {
name = module.naming.app_service.name_unique
resource_group_name = var.resource_group_name
location = var.location
service_plan_id = azurerm_service_plan.the_plan.id
public_network_access_enabled = false
site_config {
application_stack {
dotnet_version = "6.0"
}
}
}
# private endpoints
resource "azurerm_private_dns_zone" "dnsprivatezone" {
name = "privatelink.azurewebsites.net"
resource_group_name = var.resource_group_name
}
resource "azurerm_private_dns_zone_virtual_network_link" "dnszonelink" {
name = "dnszonelink"
resource_group_name = var.resource_group_name
private_dns_zone_name = azurerm_private_dns_zone.dnsprivatezone.name
virtual_network_id = var.vnet_id
}
resource "azurerm_private_endpoint" "privateendpoint" {
name = "${module.naming.private_endpoint.name}-webapp"
location = var.location
resource_group_name = var.resource_group_name
subnet_id = var.private_endpoints_subnet_id
private_service_connection {
name = "privateendpointconnection"
private_connection_resource_id = azurerm_linux_web_app.the_app.id
subresource_names = ["sites"]
is_manual_connection = false
}
private_dns_zone_group {
name = "web-app-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsprivatezone.id]
}
}
update: using a vm in the vnet i can resolve the private endpoint dns using the wireserver but can’t do the same using the application gateway.
2
Answers
It appears you are facing challenges with Microsoft Azure Application Gateway not resolving the private DNS name of a private endpoint in your Terraform deployment. To address this:
DNS Configuration: Verify the private DNS zone settings and ensure correct registration of the private endpoint.
Network Security Groups (NSGs): Confirm that NSGs allow necessary traffic between the Application Gateway and private endpoint subnets.
Diagnostic Logs: Enable detailed diagnostic logs for the Application Gateway to identify potential issues.
Azure DNS: Ensure your virtual network is configured to use Azure DNS for name resolution.
For precise assistance, consult Azure documentation or consider seeking support from Azure experts.
To achieve DNS resolution for your Azure App Service with an Application Gateway in a Terraform-managed infrastructure, you need to focus on setting up the private endpoint of the App Service correctly through the Application Gateway. This example will show you how to create the required Azure resources such as the Application Gateway, Virtual Network, Private DNS Zone, and App Service, and how to link them properly for DNS resolution.
My configuration:
Deployment succeeded:
This setup allows the Application Gateway to securely send traffic to the Azure App Service over a private connection, solving the main problem of DNS resolution error for the private endpoint inside the Application Gateway. By connecting the private DNS zone to the virtual network and creating a private endpoint for the App Service, DNS queries for the App Service are properly resolved, enabling the Application Gateway to access the App Service without making it publicly available.