In this post, I will show you how to create a private subnet in Azure using the public preview feature that was announced on November 16, 2023. You will also learn how to use the Azure DNS Private Resolver service to query Azure DNS private zones from your private subnet.
Prerequisites
To follow this tutorial, you will need:
- An Azure subscription. If you don’t have one, you can create one for free here.
- A virtual network in Azure. You can use an existing one or create a new one using this quickstart.
- A private DNS zone in Azure. You can use an existing one or create a new one using this quickstart.
Steps
- On the Azure portal, go to the Virtual networks page and select the virtual network you want to add a private subnet to.
- On the virtual network page, select Subnets from the left navigation.
- On the Subnets page, select + Subnet.
- On the Add subnet screen, enter or select values for the following settings:
- Name: Enter a name for your private subnet, such as “private-subnet”.
- Address range: Enter an address range for your private subnet that is within the address space of your virtual network, such as “10.0.1.0/24”.
- Default outbound access: Set this parameter to false to prevent the creation of default outbound public IP addresses for your virtual machines in this subnet.
- Network security group: Optionally, you can assign a network security group to your private subnet to control the inbound and outbound traffic rules.
- Select Save to create your private subnet.
- On the Subnets page, select + DNS forwarding ruleset.
- On the Add DNS forwarding ruleset screen, enter or select values for the following settings:
- Name: Enter a name for your DNS forwarding ruleset, such as “private-dns-ruleset”.
- Virtual network links: Select Add link and choose your virtual network from the drop-down list. This will link your DNS forwarding ruleset to your virtual network.
- DNS forwarding rules: Select Add rule and enter or select values for the following settings:
- Name: Enter a name for your DNS forwarding rule, such as “private-dns-rule”.
- Suffix: Enter the suffix of the DNS queries that you want to forward, such as “.privatelink.azure.com”.
- Destination: Enter the IP address of the DNS server that you want to forward the queries to, such as “168.63.129.16”. This is the IP address of the Azure-provided DNS server that can resolve Azure DNS private zones.
- Select Save to create your DNS forwarding ruleset and rule.
- On the Subnets page, select + Private endpoint.
- On the Create a private endpoint screen, enter or select values for the following settings:
- Basics:
- Subscription: Select your Azure subscription.
- Resource group: Select an existing resource group or create a new one.
- Name: Enter a name for your private endpoint, such as “private-endpoint”.
- Region: Select the same region as your virtual network and private DNS zone.
- Resource:
- Connection method: Select Connect to an Azure resource in my directory.
- Subscription: Select your Azure subscription again.
- Resource type: Select Microsoft.Network/privateDnsZones.
- Resource: Select your private DNS zone from the drop-down list.
- Target sub-resource: Select PrivateDnsZoneGroup from the drop-down list.
- Configuration:
- Virtual network: Select your virtual network again.
- Subnet: Select your private subnet from the drop-down list.
- Private DNS integration: Check the box to enable private DNS integration and select your private DNS zone again from the drop-down list.
- Basics:
- Select Review + create and then Create to create your private endpoint.
You have successfully created a private subnet in Azure with a private endpoint and a DNS forwarding ruleset. You can now create virtual machines in your private subnet and use them to query your private DNS zone without exposing them to the internet.