Search code examples
azureterraformdevops

Application gateway can't resolver the dns name of the private endpoint

Hi I am currently trying to build https://learn.microsoft.com/en-us/azure/architecture/web-apps/app-service/architectures/baseline-zone-redundant in terraform but i keep running on this problem where the application gateway can't resolve the private dns name of the private endpoint. the nsgs are not the problem since the I opened all there ports for debugging purposes.

I tried creating a private dns a record or adding a dns resolver but it didn't work

#* Network
resource "azurerm_virtual_network" "the_network" {
  name                = module.naming.virtual_network.name
  location            = local.location
  resource_group_name = azurerm_resource_group.the_group.name
  address_space       = [local.vnet_prefixe]
  
  tags = {
    environment = "${terraform.workspace}"
  }
}
#* Subnets
resource "azurerm_subnet" "Application_Gateway_Subnet" {
  name                 = "Application_Gateway_Subnet"
  resource_group_name  = azurerm_resource_group.the_group.name
  virtual_network_name = azurerm_virtual_network.the_network.name
  address_prefixes     = [local.gateway_subnet_prefix]
}

resource "azurerm_subnet" "app_service_integration_subnet" {
  name                 = "app_service_integration_subnet"
  resource_group_name  = azurerm_resource_group.the_group.name
  virtual_network_name = azurerm_virtual_network.the_network.name
  address_prefixes     = [local.app_service_integration_subnet_prefix]
  delegation {
    name = "webapp"

    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_subnet" "private_endpoints_subnet" {
  name                                      = "private_endpoints_subnet"
  resource_group_name                       = azurerm_resource_group.the_group.name
  virtual_network_name                      = azurerm_virtual_network.the_network.name
  address_prefixes                          = [local.private_endpoints_subnet_prefix]
  service_endpoints = ["Microsoft.Web"]
}

resource "azurerm_application_gateway" "network" {
  name                = module.naming.application_gateway.name
  resource_group_name = azurerm_resource_group.the_group.name
  location            = local.location

  sku {
    name     = "Standard_v2"
    tier     = "Standard_v2"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = azurerm_subnet.Application_Gateway_Subnet.id
  }

  frontend_port {
    name = local.frontend_port_name
    port = 80
  }

  frontend_ip_configuration {
    name                 = local.frontend_ip_configuration_name
    public_ip_address_id = azurerm_public_ip.the_public_ip.id
  }

  backend_address_pool {
    name         = local.backend_address_pool_name
    fqdns = [module.the_web_app.endpoint_fqdn]
  }

  backend_http_settings {
    name                  = local.http_setting_name
    cookie_based_affinity = "Disabled"
    path                  = "/*"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 60
  }

  http_listener {
    name                           = local.listener_name
    frontend_ip_configuration_name = local.frontend_ip_configuration_name
    frontend_port_name             = local.frontend_port_name
    protocol                       = "Http"
  }

  request_routing_rule {
    name                       = local.request_routing_rule_name
    priority                   = 9
    rule_type                  = "Basic"
    http_listener_name         = local.listener_name
    backend_address_pool_name  = local.backend_address_pool_name
    backend_http_settings_name = local.http_setting_name
  }
}

resource "azurerm_service_plan" "the_plan" {
  name                = module.naming.app_service_plan.name
  resource_group_name = var.resource_group_name
  location            = var.location
  os_type             = "Linux"
  sku_name            = "P1v2"
}

resource "azurerm_linux_web_app" "the_app" {
  name                          = module.naming.app_service.name_unique
  resource_group_name           = var.resource_group_name
  location                      = var.location
  service_plan_id               = azurerm_service_plan.the_plan.id
  public_network_access_enabled = false

  site_config {
    application_stack {
      dotnet_version = "6.0"
    }
  }
}

# private endpoints
resource "azurerm_private_dns_zone" "dnsprivatezone" {
  name                = "privatelink.azurewebsites.net"
  resource_group_name = var.resource_group_name
}

resource "azurerm_private_dns_zone_virtual_network_link" "dnszonelink" {
  name                  = "dnszonelink"
  resource_group_name   = var.resource_group_name
  private_dns_zone_name = azurerm_private_dns_zone.dnsprivatezone.name
  virtual_network_id    = var.vnet_id
}

resource "azurerm_private_endpoint" "privateendpoint" {
  name                = "${module.naming.private_endpoint.name}-webapp"
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = var.private_endpoints_subnet_id

  private_service_connection {
    name                           = "privateendpointconnection"
    private_connection_resource_id = azurerm_linux_web_app.the_app.id
    subresource_names              = ["sites"]
    is_manual_connection           = false
  }

  private_dns_zone_group {
    name                 = "web-app-dns-zone-group"
    private_dns_zone_ids = [azurerm_private_dns_zone.dnsprivatezone.id]
  }
}

update: using a vm in the vnet i can resolve the private endpoint dns using the wireserver but can't do the same using the application gateway.

Solution

  • apparently the wire server is not the default dns server for the virtual network unless you add it.

    #* Network
resource "azurerm_virtual_network" "the_network" {
  name                = module.naming.virtual_network.name
  location            = local.location
  resource_group_name = azurerm_resource_group.the_group.name
  address_space       = [local.vnet_prefixe]
  dns_servers = ["168.63.129.16"]
}