Skip to content
Build Cloud Skills
Blog

Private DNS for Multi-Tier Apps

In this lab, you will configure Private DNS Zones, VNet Peering, and Network Security Groups (NSGs) to enable secure name resolution and connectivity between a front-end and back-end tier in Azure. You will validate that the front-end VM can resolve and connect to the back-end VM using a private DNS name.

Pre-Provisioned Resources

Pre-provisioned architecture

  • Virtual Networks:
    • AppVNet (10.0.0.0/16) with AppSubnet (10.0.1.0/24)
    • DBVNet (10.1.0.0/16) with DBSubnet (10.1.1.0/24)
  • Virtual Machines:
    • AppVM in AppSubnet (Ubuntu, includes dnsutils for DNS testing)
    • DBVM in DBSubnet (Ubuntu, running a mock SQL listener on TCP 1433)
  • NSGs: Attached to subnets with default rules and a deny rule on DBSubnet to block VNet traffic.
  • Public IP access: AppVM has a public IP for SSH access; Bastion is not used in this lab.

Your Tasks

Task 1: Create and Configure DNS

Part A: Create a Private DNS Zone

  1. In the Azure portal, go to Private DNS ZonesCreate.
  2. Name the zone: corp.internal.
  3. Place it in the same resource group (LabRG).
  1. Open the DNS zone you created.
  2. Under Virtual network links, click Add:
    • Link AppVNet (disable auto-registration).
    • Link DBVNet (enable auto-registration).
  3. Verify that DBVM appears in the DNS zone after a few minutes (or add an A record manually if needed):
    • Name: dbvm
    • IP: DBVM’s private IP (shown in deployment outputs).

Lab with DNS

Task 2: Configure VNet Peering

  1. Go to AppVNetPeeringsAdd:
    • Peer to DBVNet.
    • Enable Allow virtual network access.
  2. Repeat for DBVNet → peer back to AppVNet.

Lab with Peering

Task 3: Update NSG Rules

  1. Go to nsg-db (attached to DBSubnet).
  2. Add an Allow inbound rule:
    • Priority: Lower than 3000 (e.g., 200)
    • Source: 10.0.1.0/24 (AppSubnet)
    • Destination: *
    • Protocol: TCP
    • Port: 1433
  3. Save and confirm the rule is active.

Lab with NSG rule

Task 4: Validate Connectivity

  1. Connect to AppVM over SSH from your local terminal using its Public IP:

    • Username: serveradmin
    • Password: GolderCorn@1234

    To find the Public IP: In the Azure portal, open AppVM → Overview → copy the Public IP address.

    Example (run locally):

    Terminal window
    ssh serveradmin@<APPVM_PUBLIC_IP>

  2. Once connected to AppVM, run:

    Terminal window
    nslookup dbvm.corp.internal
    

    nc -vz dbvm.corp.internal 1433

  3. Expected results:

    • nslookup returns DBVM’s private IP.
    • nc (or telnet) confirms port 1433 is open.

Success Criteria

  • DNS resolution works for dbvm.corp.internal.
  • AppVM can connect to DBVM on TCP 1433 using hostname.
  • NSG rules enforce security (traffic blocked before rule, allowed after).

Optional Challenge

  • Add a second A record for appvm.corp.internal and test reverse connectivity.
  • Create a custom DNS name for the database service (e.g., sql.corp.internal).