Private DNS with Red Hat Ansible Automation Platform on Microsoft Azure

Updated -

Red Hat Ansible Automation Platform on Microsoft Azure uses Azure's managed DNS services when deployed. To use private DNS records that cannot be resolved publicly, you may either use Azure Private DNS Zones that are peered to the managed application VNET, or you may submit DNS zones (via a submit request to Red Hat) that should be forwarded to a customer-managed private DNS server.

When using private DNS, Red Hat only supports using FQDNs from the customer-managed private DNS server for security reasons.

Azure Private DNS Zones

Azure Private DNS Zones are the preferred way to connect custom DNS records to Red Hat Ansible Automation Platform on Microsoft Azure. Each private DNS zone that you attach to the Red Hat Ansible Automation Platform on Microsoft Azure VNET will attempt to perform a lookup for that domain within the private DNS zone first. If the record is not found, then the search will traverse through Azure DNS services to attempt to find a matching record.

Azure Private DNS Zones are configurable by the customer, and are a native Azure service, which means that you have control to add, edit, and remove zones without contacting Red Hat.

A limitation of Private DNS Zones is only one instance of a given zone may be linked to a Virtual Network. Customers will run into a conflict when attempting to link zones matching the names of Private DNS Zones in the managed resource group. Microsoft recommends customers consolidate DNS records into a single zone to work around this limitation. Customers may replicate the records from the zones in the managed resource group into their own instance of the Private DNS Zone. The Private DNS Zones in the managed resource group may then be unlinked from the Virtual Network and replaced with the customer's instance. Failure to properly maintain the records in the Private DNS Zone may prevent the managed application from operating.

The AKS private DNS zone cannot be customer managed and still allow Red Hat to update or upgrade the managed AKS that is a part of this offering. That means that customers should not unlink the <GUID>.privatelink.<region>.azmk8s.io private DNS zone to allow Red Hat to upgrade the customer AKS to the latest version during the maintenance windows. See the following link for more information on this limitation: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/create-upgrade-delete/createorupdatevirtualnetworklinkfailed-error

Private DNS Servers

If your organization uses private DNS servers, then you may send a list of DNS zones and your DNS server IP address(es) to Red Hat for configuration with your Red Hat Ansible Automation Platform on Microsoft Azure deployment. Red Hat SREs will configure your deployment so that lookups for the provided zones are passed to your custom DNS servers.

This option requires that your custom DNS server(s) are routable from Ansible Automation Platform on Azure's VNET. This may require Azure networking configuration, such as VNET or WAN peering, that is the responsibility of the customer.

Only the DNS zones that you explicitly provide can be routed through your private DNS servers. It is not possible to route all traffic through private DNS servers.

To request private DNS server configuration, submit a support request to Red Hat using the following information:

  • Set the product to Ansible Automation Platform
  • Set the version to Azure Cloud
  • In the description, include:

    • The list of DNS search domains that require your private DNS servers
    • The IP address(es) of your private DNS servers
    • The fully qualified domain name of a host that should resolve with your custom DNS server so that Red Hat SREs can validate successful configuration
    • For example:

      Private DNS search domain: mycompany.com
      Private DNS IPs: 10.8.8.8 10.8.4.4
      Test host: app1.mycompany.com
      

Comments