Provision of Private Endpoint and Private DNS Zone
Private endpoints, Private DNS are components and services in Microsoft Azure. Let's break down what each of these terms means and then explain the concept of private endpoints and private DNS in our Organization.
-
Azure Key Vault: Azure Key Vault is a cloud-based service that helps you securely manage keys, secrets, and certificates. It provides a central place to safeguard sensitive information, making it a critical component for data protection and security.
-
Azure Storage: Azure Storage is a scalable cloud-based storage service that allows you to store and manage various types of data, including files, blobs, tables, and queues. It is widely used for data storage, backups, and application data.
Now, let's delve into the concepts of private endpoints and private DNS currently we are using:
Private Endpoint: A private endpoint is a network interface for a service in Azure, which is linked to our virtual network. It allows us to securely access the service over a private connection without the need for public internet access. Private endpoints are used to enhance the security of our resources by keeping traffic within Azure's network.
Private DNS: Private DNS in Azure is a service that allows us to create custom DNS configurations for our resources within an Azure virtual network. It enables name resolution for resources using custom domain names while keeping DNS traffic within the Azure network, enhancing security and privacy.
Private Endpoint for Key Vault and Storage: When we created a private endpoint for Azure Key Vault or Azure Storage, we established a private connection between our virtual network and the respective service. This means that the service is accessible only from within our virtual network, making it highly secure. Requests to access keys, secrets, or data in Azure Key Vault or Storage are routed through this private connection, ensuring that sensitive information is not exposed to the public internet.
Private DNS for Key Vault and Storage: By configuring Private DNS zones for Key Vault and Storage, we can associate custom domain names with these services within our Azure virtual network. This simplifies the naming of resources and allows us to access them using user-friendly names while maintaining DNS traffic within our private network. It also helps in cases where we need to isolate our Azure Key Vault and Storage resources from public DNS resolution, further enhancing security and privacy.
In summary, private endpoints and private DNS in Azure Key Vault and Storage offer enhanced security and network isolation by allowing us to access these services over a private connection within our virtual network while customizing domain name resolution. This is particularly important for securing sensitive data and resources in a cloud environment.
This repo contains provisioning of private endpoint and private dns for Key Vault, Customer KV and Storage Account. Go to privatednszone.tf to create/update/delete the DNS zone, for example config looks like this
resource "azurerm_private_dns_zone" "key_vault" {
name = local.kv_private_dns_zone
resource_group_name = azurerm_resource_group.main.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "kv-dnszonelink" {
name = "kv-${var.common_tags.project}-${var.tags.environment}-dnszonelink"
resource_group_name = azurerm_resource_group.main.name
private_dns_zone_name = azurerm_private_dns_zone.key_vault.name
virtual_network_id = module.vnet.vnet_id
}
resource "azurerm_private_endpoint" "key_vault" {
name = "kv-${var.common_tags.project}-${var.tags.environment}"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet_id = module.vnet.vnet_subnets[5]
private_dns_zone_group {
name = "kv-${var.common_tags.project}-${var.tags.environment}"
private_dns_zone_ids = [azurerm_private_dns_zone.key_vault.id]
}
private_service_connection {
name = "vault-privatelink-${var.tags.environment}"
private_connection_resource_id = azurerm_key_vault.vault.id
is_manual_connection = false
subresource_names = ["vault"]
}
}