This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 20%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECN%3C/text%3E%3C/svg%3E)
Hi MS support,
we need to check your recommendation on enabling Azure Firewall DNS proxy where custom DNS is used. We have HUB and Spoke model where APIM is used in spoke connecting to another public cloud provider via Azure Firewall(API calls). As per the documentation we have to enable and point AZ FW DNS IP as custom DNS forwarder. VNET DNS settings to AZ FW private IP. Is this the case or just default Azure DNS at DNS proxy is suffice given there is no VM involved. Reason for this configuration is to make use of FQDNs in network rules and what impact will it have in either cases ?
Hi,
You will need to perform 2 steps:
Reference: https://video2.skills-academy.com/en-us/azure/firewall/dns-settings
Regards,
Karthik Srinivas
Hi Karthink,
Thanks for the reply. But this is not what we are after and we have gone through that link multiple times. If we have VMs with our Spoke this would 101% work. But in our case we have API manger+ Event hub rely on VNET DNS settings. As per documentation we need to do those two things mentioned. what we want to know
1.) Does this set up is the recommend when it comes to APIM where it rely purely on VNET DNS settings ?
2.) what impact it will have if we just enable DNS proxy with default Azure DNS keeping spoke DNS as it is which is custom DNS
All the VNET resources will get to know the DNS server from the VNET DNS Settings. So, yes that is mandatory if you want to send the DNS query to Azure Firewall.
Once the DNS request reaches Azure firewall, it validates and then if you want the DNS query to be forwarded to a custom DNS server, you will need to specify that in the Azure Firewall custom DNS settings.
If you just enable Azure firewall DNS Proxy, then the DNS queries will be sent to Firewall first and then Azure DNS will resolve the DNS query.
just to confirm here "If you just enable Azure firewall DNS Proxy, then the DNS queries will be sent to Firewall first and then Azure DNS will resolve the DNS query."
you mean we just enable azure DNS proxy with default azure dns and not update VNETs or FW with Custom DNS ?
If you want to forward DNS queries to Azure Firewall, you will need to add firewall private ip in the DNS settings of the vnet. Only then the dns queries will reach the firewall. In the Firewall settings you can choose to use Azure DNS.