Mulai Cepat: Membuat Pemecah Masalah Privat Azure DNS menggunakan Bicep
Mulai cepat ini menjelaskan cara menggunakan Bicep untuk membuat Azure DNS Private Resolver.
Bicep adalah bahasa pemrogram khusus domain (DSL) yang menggunakan sintaks deklaratif untuk menyebarkan sumber daya Azure. Bicep menyediakan sintaks ringkas, keamanan jenis yang andal, dan dukungan untuk penggunaan kembali kode. Bicep menawarkan pengalaman penulisan terbaik untuk solusi infrastructure-as-code di Azure.
Gambar berikut ini meringkas penyiapan umum yang digunakan. Rentang alamat subnet yang digunakan dalam templat sedikit berbeda dari yang ditunjukkan pada gambar.
Prasyarat
Jika Anda tidak memiliki langganan Azure, buat akun gratis sebelum Anda memulai.
Tinjau file Bicep
File Bicep yang digunakan dalam mulai cepat berasal dari Templat Mulai Cepat Azure.
File Bicep ini dikonfigurasi untuk membuat:
- Jaringan virtual
- Penyelesai DNS
- Titik akhir masuk & keluar
- Aturan penerusan & aturan.
@description('name of the new virtual network where DNS resolver will be created')
param resolverVNETName string = 'dnsresolverVNET'
@description('the IP address space for the resolver virtual network')
param resolverVNETAddressSpace string = '10.7.0.0/24'
@description('name of the dns private resolver')
param dnsResolverName string = 'dnsResolver'
@description('the location for resolver VNET and dns private resolver - Azure DNS Private Resolver available in specific region, refer the documenation to select the supported region for this deployment. For more information https://docs.microsoft.com/azure/dns/dns-private-resolver-overview#regional-availability')
@allowed([
'australiaeast'
'uksouth'
'northeurope'
'southcentralus'
'westus3'
'eastus'
'northcentralus'
'westcentralus'
'eastus2'
'westeurope'
'centralus'
'canadacentral'
'brazilsouth'
'francecentral'
'swedencentral'
'switzerlandnorth'
'eastasia'
'southeastasia'
'japaneast'
'koreacentral'
'southafricanorth'
'centralindia'
'westus'
'canadaeast'
'qatarcentral'
'uaenorth'
'australiasoutheast'
'polandcentral'
])
param location string
@description('name of the subnet that will be used for private resolver inbound endpoint')
param inboundSubnet string = 'snet-inbound'
@description('the inbound endpoint subnet address space')
param inboundAddressPrefix string = '10.7.0.0/28'
@description('name of the subnet that will be used for private resolver outbound endpoint')
param outboundSubnet string = 'snet-outbound'
@description('the outbound endpoint subnet address space')
param outboundAddressPrefix string = '10.7.0.16/28'
@description('name of the vnet link that links outbound endpoint with forwarding rule set')
param resolvervnetlink string = 'vnetlink'
@description('name of the forwarding ruleset')
param forwardingRulesetName string = 'forwardingRule'
@description('name of the forwarding rule name')
param forwardingRuleName string = 'contosocom'
@description('the target domain name for the forwarding ruleset')
param DomainName string = 'contoso.com.'
@description('the list of target DNS servers ip address and the port number for conditional forwarding')
param targetDNS array = [
{
ipaddress: '10.0.0.4'
port: 53
}
{
ipaddress: '10.0.0.5'
port: 53
}
]
resource resolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
name: dnsResolverName
location: location
properties: {
virtualNetwork: {
id: resolverVnet.id
}
}
}
resource inEndpoint 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
parent: resolver
name: inboundSubnet
location: location
properties: {
ipConfigurations: [
{
privateIpAllocationMethod: 'Dynamic'
subnet: {
id: '${resolverVnet.id}/subnets/${inboundSubnet}'
}
}
]
}
}
resource outEndpoint 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = {
parent: resolver
name: outboundSubnet
location: location
properties: {
subnet: {
id: '${resolverVnet.id}/subnets/${outboundSubnet}'
}
}
}
resource fwruleSet 'Microsoft.Network/dnsForwardingRulesets@2022-07-01' = {
name: forwardingRulesetName
location: location
properties: {
dnsResolverOutboundEndpoints: [
{
id: outEndpoint.id
}
]
}
}
resource resolverLink 'Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks@2022-07-01' = {
parent: fwruleSet
name: resolvervnetlink
properties: {
virtualNetwork: {
id: resolverVnet.id
}
}
}
resource fwRules 'Microsoft.Network/dnsForwardingRulesets/forwardingRules@2022-07-01' = {
parent: fwruleSet
name: forwardingRuleName
properties: {
domainName: DomainName
targetDnsServers: targetDNS
}
}
resource resolverVnet 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: resolverVNETName
location: location
properties: {
addressSpace: {
addressPrefixes: [
resolverVNETAddressSpace
]
}
enableDdosProtection: false
enableVmProtection: false
subnets: [
{
name: inboundSubnet
properties: {
addressPrefix: inboundAddressPrefix
delegations: [
{
name: 'Microsoft.Network.dnsResolvers'
properties: {
serviceName: 'Microsoft.Network/dnsResolvers'
}
}
]
}
}
{
name: outboundSubnet
properties: {
addressPrefix: outboundAddressPrefix
delegations: [
{
name: 'Microsoft.Network.dnsResolvers'
properties: {
serviceName: 'Microsoft.Network/dnsResolvers'
}
}
]
}
}
]
}
}
Tujuh sumber daya didefinisikan dalam templat ini:
- Microsoft.Network/virtualnetworks
- Microsoft.Network/dnsResolvers
- Microsoft.Network/dnsResolvers/inboundEndpoints
- Microsoft.Network/dnsResolvers/outboundEndpoints
- Microsoft.Network/dnsForwardingRulesets
- Microsoft.Network/dnsForwardingRulesets/forwardingRules
- Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks
Menerapkan file Bicep
- Simpan file Bicep sebagai main.bicep ke penyimpanan lokal komputer Anda.
- Menyebarkan file Bicep menggunakan Azure CLI atau Azure PowerShell
az group create --name exampleRG --location eastus
az deployment group create --resource-group exampleRG --template-file main.bicep
Setelah penyebaran selesai, Anda akan melihat pesan yang menunjukkan penyebaran berhasil.
Memvalidasi penyebaran
Gunakan portal Microsoft Azure, Azure CLI, atau Azure PowerShell untuk mencantumkan sumber daya yang disebarkan di grup sumber daya.
#Show the DNS resolver
az dns-resolver show --name "sampleDnsResolver" --resource-group "sampleResourceGroup"
#List the inbound endpoint
az dns-resolver inbound-endpoint list --dns-resolver-name "sampleDnsResolver" --resource-group "sampleResourceGroup"
#List the outbound endpoint
az dns-resolver outbound-endpoint list --dns-resolver-name "sampleDnsResolver" --resource-group "sampleResourceGroup"
Membersihkan sumber daya
Jika tidak lagi diperlukan, gunakan portal Azure, Azure CLI, atau Azure PowerShell untuk menghapus sumber daya dalam urutan berikut.
Hapus resolver DNS
#Delete the inbound endpoint
az dns-resolver inbound-endpoint delete --dns-resolver-name "sampleDnsResolver" --name "sampleInboundEndpoint" --resource-group "exampleRG"
#Delete the virtual network link
az dns-resolver vnet-link delete --ruleset-name "sampleDnsForwardingRuleset" --resource- group "exampleRG" --name "sampleVirtualNetworkLink"
#Delete DNS forwarding ruleset
az dns-resolver forwarding-ruleset delete --name "samplednsForwardingRulesetName" --resource-group "exampleRG"
#Delete the outbound endpoint
az dns-resolver outbound-endpoint delete --dns-resolver-name "sampleDnsResolver" --name "sampleOutboundEndpoint" --resource-group "exampleRG"
#Delete the DNS resolver
az dns-resolver delete --name "sampleDnsResolver" --resource-group "exampleRG"
Langkah berikutnya
Dalam mulai cepat ini, Anda membuat jaringan virtual dan pemecah masalah privat DNS. Sekarang konfigurasikan resolusi nama untuk domain Azure dan lokal.