Unable to use Azure Private Endpoints with On-Prem DNS server!!

I have come across a use case where I want to connect Azure Database Service like SQL using Private endpoint and the connectivity is initiated from an on-prem VM which is pointing to my on-prem local DNS server.

* You Should already have connectivity to on-prem from Azure networK VIA Express route or VPN

Problem Statement

You should be having your local on-prem DNS server and when trying to connect to Azure Services using private endpoint you will fail to do so. If your on-prem DNS forward queries to public DNS servers you will get public IP of your Azure Resource and won’t be able to connect to the required service with private IP as your on-prem DNS won’t be able to resolve the endpoint DNS name to it’s associated private IP address hence failing the whole purpose of using private endpoints.

Solution

You need to set up your infrastructure to make this happen. Below are the steps:

  1. Setup conditional forwarding under your on-prem DNS server to forward specific domain queries to the forwarder server created under step 1. 
    • Conditional Forwarding should be made to the public DNS zone forwarder. E.g. database.windows.net instead of privatelink.database.windows.net
  2. Create a DNS forwarder VM in Azure and configure it to forward all queries to the Azure default DNS server
  3. Create Private DNS Zone for endpoint domain name in the same VNet as your Azure DNS forwarder server and create an A record with Private endpoint information (FQDN record name and private IP address)
    • The Private DNS zone is the resource with which the Azure DNS server consults with to resolve the DB FQDN to its endpoint private IP address.

** Important point to know is Azure doesn’t allow access to its default DNS server (169.63.129.16) from any server outside Azure. This is the only reason we need to create a forwarder server in Azure.

On-premises forwarding to Azure DNS
Architecture for using On-Prem DNS to resolve Azure Private Endpoint

SAM 101 – Build and Deploy your Lambda Function Using AWS SAM

Hello!

I came across a use case, where I have to deploy a CloudFormation template which creates a lambda resource under my AWS account.

To provide Lambda function code to CFN template I have two ways:

  1. Use Inline lambda function inside the CFN template.
  2. Use the Serverless Application Model (SAM) by creating Lambda function artifacts under S3 and putting codeURI in the CFN template.

An inline function is a straightforward approach with a code limitation of 4 KB.

I will explain in this blog how to use SAM as an extension of AWS CloudFormation.

Note: Serverless application is more than just a lambda function, it can include additional resources such as APIs, databases and event source mappings.

SAM Deployment

Note: Make sure you have SAM CLI installed on your machine and I use Visual Studio Code for AWS CLI

  • Download a sample application

# sam init

You can see a sample app folder structure created by the name sam_app under your current folder

init

  • Add your application code and update CloudFormation Template
    • Lambda Function – Added a folder under sam_app by the name myLambda containing my Lambda function (ssm_Lambda.py) and requirments.txt file.
    • CloudFormation Template – Replaced existing template.yaml with my CFN which will create a lambda resource using a function defined under myLambda Folder (You can see CodeUri: myLambda/)

code_place

  • Build your application

# sam build

The ‘sam build’ command iterates through the functions in your application, looks for a manifest file (such as requirements.txt ) that contains the dependencies and automatically creates deployment artifacts.

build

A new folder with all artifacts gets created with the name build under .aws-sam

after_build

  • Package application

#  sam package –s3-bucket abhishek-bucket-lambda –output-template-file template-with-artifacts.yaml –no-verify-ssl

Packages an AWS SAM application. It creates a ZIP file of your code and dependencies and uploads it to Amazon S3. It then returns a copy of your AWS SAM template, replacing references to local artifacts with the Amazon S3 location where the command uploaded the artifacts. (Screenshots shows the uploaded zip file using above command and the SAM template template-with-artifacts.yaml)

s3

artifacts

  • Deploy Stack with SAM CLI

# sam deploy –stack-name “Sample-CFN-Stack” –s3-bucket abhishek-bucket-lambda –capabilities CAPABILITY_NAMED_IAM –template-file template-with-artifacts.yaml –region “eu-west-1” –no-verify-ssl

Or, you can also deploy your stack with CloudFormation CLI

# aws cloudformation deploy –template-file C:\Users\abhishek\sam-app\template-with-artifacts.yaml –stack-name “Sample-CFN-Stack”

The CloudFormation is deployed now and it has created the Lambda resource too.

Cheers !!