DNS for Azure Private Link Service and AI Workloads

Question

Pulumi · Accepted Answer

To configure DNS for Azure Private Link Service and integrate it with AI Workloads in Azure, you'll need to define a Private DNS zone that corresponds to the namespace of the Azure service you want to access via Private Link. Then, you'll set up a DNS configuration to resolve the private endpoint connections within your virtual network. The AI Workloads can communicate over this private endpoint, which is not exposed to the public internet.

Below is a Pulumi program written in Python that demonstrates setting up a DNS for Azure Private Link Service and configuring it for AI Workloads. This program does the following:

Creates a private DNS zone in Azure.
Links the private DNS zone to the virtual network.
Creates a Private Link Service (PLS) that is associated with a given Azure resource to enable access to Azure services via Private Link.
Configures the DNS settings within the Azure Virtual Network to use the private DNS zone for name resolution.

Let's take a look at the program:

import pulumi
import pulumi_azure_native as azure_native

# Initialize resource group.
# An existing resource group where you want to create private DNS and Private Link services.
resource_group = azure_native.resources.ResourceGroup("my-resource-group")

# Create an Azure Private DNS Zone for a specific Azure service namespace.
# Replace 'privatelink.blob.core.windows.net' with the namespace of the Azure service you are using.
private_dns_zone = azure_native.network.PrivateZone(
    "my-private-dns-zone",
    resource_group_name=resource_group.name,
    private_zone_name="privatelink.blob.core.windows.net", # The namespace for the Azure Blob storage service.
    location="global"
)

# Link the DNS zone to a virtual network.
# Assumes an existing virtual network to associate with the DNS zone for name resolution.
# You should replace 'my-vnet' and 'my-vnet-rg' with your own virtual network and its resource group name.
vnet_link = azure_native.network.VirtualNetworkLink(
    "my-vnet-link",
    resource_group_name=resource_group.name,
    private_zone_name=private_dns_zone.name,
    virtual_network_link_name="link1",
    virtual_network=azure_native.network.SubResourceArgs(
        id="/subscriptions/<subscription-id>/resourceGroups/my-vnet-rg/providers/Microsoft.Network/virtualNetworks/my-vnet"
    ),
    registration_enabled=False # Set to True if the zone should automatically register DNS records for VMs in the linked vnet.
)

# Create a Private Link Service which links an Azure resource to the private DNS zone
# so that it can be accessed over Private Link. This example uses an Azure Storage Account,
# but you might want to link a different type of Azure resource depending on your AI workload.

# First, create the IP configuration for the Private Link Service. Replace with actual subnet ID.
ip_configuration = azure_native.network.IPConfiguration(
    "my-pls-ip-configuration",
    name="testIpConfiguration",
    subnet=azure_native.network.SubnetArgs(
        id="<subnet-id>"  # The ID of the subnet for the IP configuration.
    ),
    private_ip_allocation_method="Dynamic",  # or 'Static' if you are assigning a specific IP address.
    resource_group_name=resource_group.name,
)

# Then, create the Private Link Service.
private_link_service = azure_native.network.PrivateLinkService(
    "my-private-link-service",
    location=resource_group.location,
    private_endpoint_connections=[],
    resource_group_name=resource_group.name,
    auto_approval=azure_native.network.AutoApprovalArgs(
        subscriptions=[resource_group.id.apply(lambda id: id.split('/')[2])]
    ),
    visibility=azure_native.network.VisibilityArgs(
        subscriptions=[resource_group.id.apply(lambda id: id.split('/')[2])]
    ),
    ip_configurations=[ip_configuration]
)

pulumi.export("private_dns_zone_id", private_dns_zone.id)
pulumi.export("vnet_link_id", vnet_link.id)
pulumi.export("private_link_service_id", private_link_service.id)

Explaining the Program

First, we create a resource group in Azure to organize all of the resources we create. In the example, it is labeled as "my-resource-group".
We then create a Private DNS Zone for a specific Azure service namespace which Private Link will use. In this program, we've assumed you're setting up a DNS for Azure Blob Storage and thus used privatelink.blob.core.windows.net.
Next, we link the newly created DNS zone to an existing virtual network (VNet) that is already created within your Azure environment (labeled here as "my-vnet").
We create an IP configuration for the Private Link Service which will be associated with the Azure resource you wish to expose through Private Link.
We then create the Private Link Service resource which uses the IP configuration we previously created. This service essentially creates a private endpoint for your Azure resource.
Finally, we export some resource identifiers for further use or reference.

Note that when you execute this program with Pulumi, replace placeholder values (like <subscription-id> and <subnet-id>) with the actual values from your Azure environment. Also, depending on your AI workload, if you are not using Azure Blob Storage, you should replace the service namespace in private_dns_zone with the appropriate namespace for the Azure service you are using.