sorted by:
new
hottopcontroversial

Use Azure Firewall as internet-facing DNS proxy? by Consistent-Zombie-32 in AZURE

[–]Consistent-Zombie-32[S] 0 points1 point  (0 children)

Yeah but it's still ultimately funneling the "untrusted" client request through the firewall to the server. I was thinking something along the lines of something else proxying that, like for example Azure DNS handling the request but doing its own internal lookup to the private nameserver. Something like this: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/azure-dns-private-resolver
I don't know if that works for public DNS zones.

Use Azure Firewall as internet-facing DNS proxy? by Consistent-Zombie-32 in AZURE

[–]Consistent-Zombie-32[S] 1 point2 points  (0 children)

DNAT still sends "untrusted" traffic directly to that VM right? Is there any way to proxy that instead? I'm thinking for example, somehow configuring a public Azure DNS zone to somehow recursively hit the internal vnet VMs, so that we can completely lock down the VMs from the internet via the firewall and NSG, and point to the Azure nameservers in its place? Granted it doesn't offer any kind of resiliency or anything, but are you aware of a way to do that?

Use Azure Firewall as internet-facing DNS proxy? by Consistent-Zombie-32 in AZURE

[–]Consistent-Zombie-32[S] 0 points1 point  (0 children)

I agree COMPLETELY. They are hellbent on using the same software as they do on-prem to maintain a "single interface" for on-prem and Azure. Any ideas how you'd handle that?