DDI in a Hybrid, Multi-Cloud World
Market research shows that organizations are increasingly adopting a multi-cloud strategy. A recent Forrester report1 found 86% of respondents identified as “multi-cloud,” which Forrester described as, “Using multiple public and private clouds for different application workloads,” “leveraging multiple cloud technologies at once,” “using public cloud in parallel with traditional non-cloud systems,” and “using multiple public clouds simultaneously for different workloads.”
Why are organizations adopting multi-cloud strategies? According to a recent SANS 2022 Multicloud Survey2: organizations value cloud agnosticism to avoid vendor lock-in by running apps on multiple cloud providers. They also want to leverage the best services at the best price to maximize time to value and cost savings. Another motivating factor is the ability to utilize innovative features and unique vendor service offerings. Finally, some organizations become multi-cloud through mergers and acquisitions (M&A).
Fortunately, Infoblox NIOS is designed to meet the challenges of hybrid and multi-cloud strategies, with options to deploy enterprise-grade DNS, DHCP, and IP address management (DDI) across your entire environment. NIOS stands on its own as a full solution for DDI services in hybrid/multi-cloud environments. However, it can become even more powerful when integrated with cloud provider services. For example, the SANS Survey2, identified taking advantage of innovative features and unique vendor service offerings. One of those unique features that integrate well with Infoblox NIOS is Azure Private Link and Private DNS.
Azure Private Link and Private DNS
Azure Private Link allows you to connect privately to many types of services within Azure without sending data through the public internet. Azure Private DNS works alongside Private Link, providing the DNS zones and records needed to resolve the addresses for these privately accessible services. These two services are designed to work together and should be used together whenever possible. But, by default, Azure Private DNS zones can only be resolved by clients running in Azure virtual networks (VNet). If you want to make these services available for clients on-prem or in another cloud, you will need to use a DNS platform such as NIOS to solve this hybrid/multi-cloud challenge.
So, how do we accomplish this with Infoblox NIOS?
As an example scenario, I have a single Azure Private DNS zone containing a record for the private endpoint of a storage account. I have some VMs running in another cloud or on-premises data center, which need to access this storage account via a private connection, a site-to-site VPN in this case. The other cloud or data center has a NIOS member serving DNS.
In the screenshot below, you can see my Private DNS zone, containing the A record for storaccountprivate.privatelink.blob.core.net.
In Azure, I will need an Infoblox virtual appliance, in a VNet linked to the private DNS zone. This NIOS member can act as a DNS server for clients in Azure as well as a forwarder for Azure Private DNS zones. For guidance on deploying Infoblox vNIOS for Azure, refer to the documentation.
To set up the forwarding zone in NIOS, on the Data Management -> DNS tab, use the Add dropdown in the toolbar to select Zone -> Forward Zone.
On step 1 of the Add Forward Zone Wizard, select Add a forward forward-mapping zone.
In step 2, add the name of the forward zone. In this example, I use the name blob.core.windows.net, the public DNS zone forwarder for privatelink.blob.core.windows.net. For a full list of public-to-private zone name mapping for Azure Private Link, refer to Azure documentation.
In step 3, add the Infoblox virtual appliance in Azure as the default zone forwarder for this zone.
In step 4, add name servers that will be used to forward this zone. Include the Infoblox virtual appliance in Azure as one of the name servers.
Select the Infoblox member running in Azure and select the Edit icon. In the Edit Per-Member Forwarders window, select the checkbox for Override Default Forwarders. Add the Azure DNS IP, 168.63.129.16, as a forwarder. Save and close this window.
With this configuration, all listed name servers other than the vNIOS running in Azure will forward queries for blob.core.windows.net to the vNIOS in Azure. The vNIOS in Azure will forward queries for blob.core.windows.net to the Azure DNS resolver, where a CNAME will point to a record in the private DNS zone, privatelink.blob.windows.core.net.
Save and close the wizard. Restart services as prompted. At this point, we are ready to test the configuration. I’ll use dig, pointing to the IP of my NIOS name server, on an Ubuntu client to resolve my storage account at storaccountprivate.blob.core.windows.net.
As seen in the screenshot, I can resolve the private address for the storage account.
Conclusion
Hybrid and multi-cloud strategies are here to stay. If you aren’t using one now, you probably will be in the near future. Infoblox NIOS is designed to operate and integrate into these environments. Using Infoblox NIOS alongside cloud offerings like Azure Private Link gives you the power of the cloud with the stability and ease of management from NIOS.
Endnotes
- Forrester 2018: “Multi-cloud: Everything You Need to Know About the Biggest Trend in Cloud Computing”
- SANS 2022 Multi Cloud Survey: Exploring the World of Multicloud, Dec. 2022.
