Quickstart: Create an Azure DNS Private Resolver using an ARM template

This quickstart describes how to use an Azure Resource Manager template (ARM template) to create Azure DNS Private Resolver.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

The following figure summarizes the general setup used. Subnet address ranges used in templates are slightly different than those shown in the figure.

Conceptual figure displaying components of the private resolver.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Button to deploy the Resource Manager template to Azure.

Prerequisites

If you don't have an Azure subscription, create a trial account before you begin.

Review the template

The template used in this quickstart is from Azure Quickstart Templates.

This template is configured to create a:

  • Virtual network
  • DNS resolver
  • Inbound & outbound endpoints
  • Forwarding Rules & rulesets.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.17.1.54307",
      "templateHash": "4642931119059320905"
    }
  },
  "parameters": {
    "resolverVNETName": {
      "type": "string",
      "defaultValue": "dnsresolverVNET",
      "metadata": {
        "description": "name of the new virtual network where DNS resolver will be created"
      }
    },
    "resolverVNETAddressSpace": {
      "type": "string",
      "defaultValue": "10.7.0.0/24",
      "metadata": {
        "description": "the IP address space for the resolver virtual network"
      }
    },
    "dnsResolverName": {
      "type": "string",
      "defaultValue": "dnsResolver",
      "metadata": {
        "description": "name of the dns private resolver"
      }
    },
    "location": {
      "type": "string",
      "allowedValues": [
        "chinanorth3"
      ],
      "metadata": {
        "description": "the location for resolver VNET and dns private resolver - Azure DNS Private Resolver available in specific region, refer the documenation to select the supported region for this deployment. For more information https://docs.azure.cn/dns/dns-private-resolver-overview#regional-availability"
      }
    },
    "inboundSubnet": {
      "type": "string",
      "defaultValue": "snet-inbound",
      "metadata": {
        "description": "name of the subnet that will be used for private resolver inbound endpoint"
      }
    },
    "inboundAddressPrefix": {
      "type": "string",
      "defaultValue": "10.7.0.0/28",
      "metadata": {
        "description": "the inbound endpoint subnet address space"
      }
    },
    "outboundSubnet": {
      "type": "string",
      "defaultValue": "snet-outbound",
      "metadata": {
        "description": "name of the subnet that will be used for private resolver outbound endpoint"
      }
    },
    "outboundAddressPrefix": {
      "type": "string",
      "defaultValue": "10.7.0.16/28",
      "metadata": {
        "description": "the outbound endpoint subnet address space"
      }
    },
    "resolvervnetlink": {
      "type": "string",
      "defaultValue": "vnetlink",
      "metadata": {
        "description": "name of the vnet link that links outbound endpoint with forwarding rule set"
      }
    },
    "forwardingRulesetName": {
      "type": "string",
      "defaultValue": "forwardingRule",
      "metadata": {
        "description": "name of the forwarding ruleset"
      }
    },
    "forwardingRuleName": {
      "type": "string",
      "defaultValue": "contosocom",
      "metadata": {
        "description": "name of the forwarding rule name"
      }
    },
    "DomainName": {
      "type": "string",
      "defaultValue": "contoso.com.",
      "metadata": {
        "description": "the target domain name for the forwarding ruleset"
      }
    },
    "targetDNS": {
      "type": "array",
      "defaultValue": [
        {
          "ipaddress": "10.0.0.4",
          "port": 53
        },
        {
          "ipaddress": "10.0.0.5",
          "port": 53
        }
      ],
      "metadata": {
        "description": "the list of target DNS servers ip address and the port number for conditional forwarding"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/dnsResolvers",
      "apiVersion": "2022-07-01",
      "name": "[parameters('dnsResolverName')]",
      "location": "[parameters('location')]",
      "properties": {
        "virtualNetwork": {
          "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/dnsResolvers/inboundEndpoints",
      "apiVersion": "2022-07-01",
      "name": "[format('{0}/{1}', parameters('dnsResolverName'), parameters('inboundSubnet'))]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "privateIpAllocationMethod": "Dynamic",
            "subnet": {
              "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName')), parameters('inboundSubnet'))]"
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/dnsResolvers', parameters('dnsResolverName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/dnsResolvers/outboundEndpoints",
      "apiVersion": "2022-07-01",
      "name": "[format('{0}/{1}', parameters('dnsResolverName'), parameters('outboundSubnet'))]",
      "location": "[parameters('location')]",
      "properties": {
        "subnet": {
          "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName')), parameters('outboundSubnet'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/dnsResolvers', parameters('dnsResolverName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/dnsForwardingRulesets",
      "apiVersion": "2022-07-01",
      "name": "[parameters('forwardingRulesetName')]",
      "location": "[parameters('location')]",
      "properties": {
        "dnsResolverOutboundEndpoints": [
          {
            "id": "[resourceId('Microsoft.Network/dnsResolvers/outboundEndpoints', parameters('dnsResolverName'), parameters('outboundSubnet'))]"
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/dnsResolvers/outboundEndpoints', parameters('dnsResolverName'), parameters('outboundSubnet'))]"
      ]
    },
    {
      "type": "Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks",
      "apiVersion": "2022-07-01",
      "name": "[format('{0}/{1}', parameters('forwardingRulesetName'), parameters('resolvervnetlink'))]",
      "properties": {
        "virtualNetwork": {
          "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('forwardingRulesetName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('resolverVNETName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/dnsForwardingRulesets/forwardingRules",
      "apiVersion": "2022-07-01",
      "name": "[format('{0}/{1}', parameters('forwardingRulesetName'), parameters('forwardingRuleName'))]",
      "properties": {
        "domainName": "[parameters('DomainName')]",
        "targetDnsServers": "[parameters('targetDNS')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/dnsForwardingRulesets', parameters('forwardingRulesetName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2022-01-01",
      "name": "[parameters('resolverVNETName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[parameters('resolverVNETAddressSpace')]"
          ]
        },
        "enableDdosProtection": false,
        "enableVmProtection": false,
        "subnets": [
          {
            "name": "[parameters('inboundSubnet')]",
            "properties": {
              "addressPrefix": "[parameters('inboundAddressPrefix')]",
              "delegations": [
                {
                  "name": "Microsoft.Network.dnsResolvers",
                  "properties": {
                    "serviceName": "Microsoft.Network/dnsResolvers"
                  }
                }
              ]
            }
          },
          {
            "name": "[parameters('outboundSubnet')]",
            "properties": {
              "addressPrefix": "[parameters('outboundAddressPrefix')]",
              "delegations": [
                {
                  "name": "Microsoft.Network.dnsResolvers",
                  "properties": {
                    "serviceName": "Microsoft.Network/dnsResolvers"
                  }
                }
              ]
            }
          }
        ]
      }
    }
  ]
}

Seven resources are defined in this template:

Deploy the template

read -p "Enter the location: " location
resourceGroupName="exampleRG"
templateUri="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/azure-dns-private-resolver/azuredeploy.json"

az group create \
--name $resourceGroupName \
--locataion $location

az deployment group create \
--resource-group $resourceGroupName \
--template-uri $templateUri

Validate the deployment

  1. Sign in to the Azure portal.

  2. Select Resource groups from the left pane.

  3. Select the resource group that you created in the previous section.

  4. The resource group should contain the following resources:

    DNS resolver resource group

  5. Select the DNS private resolver service to verify the provisioning and current state.

    DNS resolver page

  6. Select the Inbound Endpoints and Outbound Endpoints to verify that the endpoints are created and the outbound endpoint is associated with the forwarding ruleset.

    DNS resolver inbound endpoint

    DNS resolver outbound endpoint

  7. Select the Associated ruleset from the outbound endpoint page to verify the forwarding ruleset and rules creation.

    DNS resolver forwarding rule

  8. Verify the resolver Virtual network is linked with forwarding ruleset.

    DNS resolver VNet link

Next steps

In this quickstart, you created a virtual network and DNS private resolver. Now configure name resolution for Azure and on-premises domains.