Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private DNS in Spoke vs Hub #187

Open
kunalbabre opened this issue Sep 27, 2023 · 1 comment
Open

Private DNS in Spoke vs Hub #187

kunalbabre opened this issue Sep 27, 2023 · 1 comment
Assignees
@thotheod
Labels
architecture iac:arm iac:bicep iac:terraform scenario:all scenario:multitenant

Comments

@kunalbabre
Copy link
Contributor

kunalbabre commented Sep 27, 2023
edited

Review Private DNS implementation, should it be in Hub vs Spoke as per LZ guidance
@FunLow
Copy link

FunLow commented Feb 12, 2024

As a suggestion as this isn't getting clear to me through the documentation:

How should Application / Workload teams handle the creation for required DNS Entries ?

Suggesting that i have a hub-spoke network topology where the central hub is linked to all the Private DNS Zones and the DNS will be resolved using a Central DNS Server (e.g Firewall, Custom DNS Server). In this scenario an application team / Workload team wants to publish an application only internally for other application teams. The Domain for the DNS Entry looks like "myapp.stage.myorg.internal" part of the DNS Zone "stage.myorg.internal".

Who is Responsible for the Creation of the DNS Entry ?
I would assume in general the platform team but thinking about this this means the application teams have to get in contact for almost each DNS entry ( Excluding the default azure domains like azurewebsites.net and others). This also implies that the platform team has to manage a lot of DNS Requests in larger organizations per day. Expecially with resource types like Azure Kubernetes Service where a deployment of a new Endpoint is very easy this sounds like a lot of effort. Also i wouldn't like to restrict the Application Team in something like there Dev environment to allow them to create new Applications published via DNS for testing purposes.

In case Workload Team is responsible:

Should each Workload Team manage its own DNS Zone ?
As in case the workload Team is responsible there might not be aware of other Teams using the DNS Zone what could lead to a potential conflict between multiple teams trying to provision the same DNS Entry in the same DNS Zone. For that reason it sounds resonable to create a DNS Zone per Spoke ( Application Team) to prevent those conflicts. But how are they supposed to manage them if they should not be allowed to access the connectivity subscription by themself.

In case Platform Team is responsible:
How is the workflow supposed to be between Platform and Workload team?
As all DNS Entries have to be managed by the platform team. Each Workflow team must send a request to the platform team for any DNS Entry they require. This is time consuming and might results in Failures due to communication in the organization.

Is there a way to automate Provisioning of DNS Entry Requests ?
I was thinking about something similiar to the Firewall Manager where an Approval Process can be used to create new Firewall rules requested by certain Workload Teams.

In case im here at the wrong place please guide me to the appropriate place. Thanks in advance.

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thotheod thotheod

Labels
architecture iac:arm iac:bicep iac:terraform scenario:all scenario:multitenant
Projects
App-Service-Landing-Zone-Accelerator-Roadmap
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kunalbabre @thotheod @FunLow