Governance Policies Azure Networking DNS Zones - Azure/az-prototype GitHub Wiki
Governance policies for Dns Zones
Domain: azure-networking
| Name | Description |
|---|---|
| Private DNS Zone with VNet link and private endpoint | Private DNS zone for Azure service private endpoints with VNet resolution |
| Description | Instead |
|---|---|
| Do not use public DNS for internal service communication | Use Azure Private DNS Zones linked to your VNet |
| Do not use custom DNS zone names for Azure private endpoints | Use the standard privatelink.* zone names documented by Microsoft |
| Check | Severity | Description |
|---|---|---|
| AZ-DNS-001 | Required | Use Azure Private DNS Zones for internal name resolution within virtual networks |
| AZ-DNS-002 | Required | Link Private DNS Zones to all VNets that need resolution |
| AZ-DNS-003 | Required | Use standard private DNS zone names for Azure private endpoints |
| AZ-DNS-004 | Recommended | Configure public DNS zones with appropriate TTL values and DNSSEC when available |
| AZ-DNS-005 | Recommended | Enable diagnostic settings for DNS zone query logging |
Use Azure Private DNS Zones for internal name resolution within virtual networks
Severity: Required
Rationale: Private DNS zones provide name resolution within VNets without exposing DNS records to the internet
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/dnsZones
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | link-vnet | VNet link enabling DNS resolution from the virtual network |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups | default | DNS zone group auto-registering private endpoint A records |
Link Private DNS Zones to all VNets that need resolution
Severity: Required
Rationale: Without VNet links, VMs and services in the VNet cannot resolve private DNS records
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/dnsZones
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateDnsZones | parent-zone | Parent private DNS zone that the VNet link attaches to |
| Microsoft.Network/virtualNetworks | vnet | Target virtual network to link to the private DNS zone |
Use standard private DNS zone names for Azure private endpoints
Severity: Required
Rationale: Azure services expect specific zone names for private endpoint resolution (e.g., privatelink.blob.core.windows.net)
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/dnsZones
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-service | Private endpoint for the Azure service requiring DNS resolution |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks | link-vnet | VNet link enabling private DNS zone resolution from the virtual network |
Configure public DNS zones with appropriate TTL values and DNSSEC when available
Severity: Recommended
Rationale: Low TTL enables faster failover; DNSSEC prevents DNS spoofing for public zones
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/dnsZones
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/diagnosticSettings | diag-dns | Diagnostic settings routing DNS query logs to Log Analytics |
Enable diagnostic settings for DNS zone query logging
Severity: Recommended
Rationale: Query logs help with troubleshooting resolution issues and detecting anomalous patterns
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/dnsZones
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as destination for DNS zone query logs |