feat: add fallbacktointernet for dns zone (#962)

* add fallbacktointernet for dns zone * Update infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep I would suggest have the NxDomainRedirect as default in the code. As most does not know about this setting. And based on my experience it's been a big problem where you use private and public Azure services. Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> * Added parResolutionPolicy to markdown file * Include new param * Update parameter name * Generate Parameter Markdowns [oZakari/ccd3a8f1] --------- Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Zach Trocinski <ztrocinski@outlook.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Azure · Mar 6, 2025 · 0719ef6 · 0719ef6
1 parent 6147762
commit 0719ef6
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/...de/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md b/...de/bicep/modules/privateDnsZoneLinks/generateddocs/privateDnsZoneLinks.bicep.md
@@ -5,6 +5,7 @@
 Parameter name | Required | Description
 -------------- | -------- | -----------
 parSpokeVirtualNetworkResourceId | No       | The Spoke Virtual Network Resource ID.
+parPrivateDnsZoneLinkResolutionPolicy | No       | Fallback to internet for Azure Private DNS zones.
 parPrivateDnsZoneResourceId | No       | The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.
 parResourceLockConfig | No       | Resource Lock Configuration for Private DNS Zone Links.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 
@@ -14,6 +15,16 @@ parResourceLockConfig | No       | Resource Lock Configuration for Private DNS Z
 
 The Spoke Virtual Network Resource ID.
 
+### parPrivateDnsZoneLinkResolutionPolicy
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Fallback to internet for Azure Private DNS zones.
+
+- Default value: `Default`
+
+- Allowed values: `Default`, `NxDomainRedirect`
+
 ### parPrivateDnsZoneResourceId
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -48,6 +59,9 @@ Resource Lock Configuration for Private DNS Zone Links.
         "parSpokeVirtualNetworkResourceId": {
             "value": ""
         },
+        "parPrivateDnsZoneLinkResolutionPolicy": {
+            "value": "Default"
+        },
         "parPrivateDnsZoneResourceId": {
             "value": ""
         },

diff --git a/...code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json b/...code/bicep/modules/privateDnsZoneLinks/parameters/privateDnsZoneLinks.parameters.all.json
@@ -7,6 +7,9 @@
     },
     "parPrivateDnsZoneResourceIds":{
       "value": []
+    },
+    "parPrivateDnsZoneLinkResolutionPolicy": {
+      "value": "Default"
     }
   }
 }
diff --git a/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep b/infra-as-code/bicep/modules/privateDnsZoneLinks/privateDnsZoneLinks.bicep
@@ -14,6 +14,13 @@ type lockType = {
 @sys.description('The Spoke Virtual Network Resource ID.')
 param parSpokeVirtualNetworkResourceId string = ''
 
+@sys.description('Fallback to internet for Azure Private DNS zones.')
+@allowed([
+  'Default'
+  'NxDomainRedirect'
+])
+param parPrivateDnsZoneLinkResolutionPolicy string = 'Default'
+
 @sys.description('The Private DNS Zone Resource IDs to associate with the spoke Virtual Network.')
 param parPrivateDnsZoneResourceId string = ''
 
@@ -35,6 +42,7 @@ resource resPrivateDnsZoneLinkToSpoke 'Microsoft.Network/privateDnsZones/virtual
   name: '${split(parPrivateDnsZoneResourceId, '/')[8]}/dnslink-to-${varSpokeVirtualNetworkName}'
   properties: {
     registrationEnabled: false
+    resolutionPolicy: parPrivateDnsZoneLinkResolutionPolicy
     virtualNetwork: {
       id: parSpokeVirtualNetworkResourceId
     }