Creating VPC DNS Link in Microsoft Azure

WARNING

This is a beta feature available only per request for SAP-internal teams.

This tutorial explains how to link the SAP, BTP Kuma runtime network to a remote private DNS zone in Microsoft Azure. Learn how to create a new resource group, private DNS zone, and record-set, and assign required roles to the provided Kyma service principal in your Microsoft Azure subscription.

Prerequisites

• You have the Cloud Manager module added. See Add and Delete a Kyma Module.
• Azure CLI

Steps

Authorize Cloud Manager in the Remote Subscription

1. Log in to your Microsoft Azure account and set the active subscription:

   export SUBSCRIPTION={SUBSCRIPTION}
   az login
   az account set --subscription $SUBSCRIPTION

2. Verify if the Cloud Manager service principal exists in your tenant.

   export APPLICATION_ID={APPLICATION_ID}
   az ad sp show --id $APPLICATION_ID

3. Optional: If the service principal doesn't exist, create one for the Cloud Manager application in your tenant.

   az ad sp create --id $APPLICATION_ID

4. Assign the required Classic Network Contributor and Network Contributor Identity and Access Management (IAM) roles to the Cloud Manager service principal. See Authorizing Cloud Manager in the Remote Cloud Provider to identify the Cloud Manager principal.

   export SUBSCRIPTION_ID=$(az account show --query id -o tsv)
   export OBJECT_ID=$(az ad sp show --id $APPLICATION_ID --query "id" -o tsv)
   
   az role assignment create --assignee $OBJECT_ID \
   --role "Network Contributor" \
   --scope "/subscriptions/$SUBSCRIPTION_ID"
   
   az role assignment create --assignee $OBJECT_ID \
   --role "Classic Network Contributor" \
   --scope "/subscriptions/$SUBSCRIPTION_ID"

Set Up a Test Environment in the Remote Subscription

1. Set the region that is closest to your Kyma cluster. Use az account list-locations to list available locations.

   export REGION={REGION}

2. Create a resource group as a container for related resources:

   export RESOURCE_GROUP_NAME="MyResourceGroup"
   az group create --name $RESOURCE_GROUP_NAME --location $REGION

3. Create a private DNS zone:

   export ZONE_NAME="example.com"
   az network private-dns zone create --resource-group $RESOURCE_GROUP_NAME --name $ZONE_NAME

4. Create a private DNS A record:

   export RECORD_SET_NAME=test
   export IP_ADDRESS=10.0.0.1
   az network private-dns record-set a add-record --resource-group $RESOURCE_GROUP_NAME --zone-name $ZONE_NAME --record-set-name $RECORD_SET_NAME --ipv4-address $IP_ADDRESS

Allow SAP BTP, Kyma Runtime to link with your Private DNS zone

Tag the private DNS zone with the Kyma shoot name:

export SHOOT_NAME=$(kubectl get cm -n kube-system shoot-info -o jsonpath='{.data.shootName}') 
export ZONE_ID=$(az network private-dns show --name $ZONE_NAME --resource-group $RESOURCE_GROUP_NAME --query id --output tsv)
az tag update --resource-id $ZONE_ID --operation Merge --tags $SHOOT_NAME

Create VPC DNS Link

1. Create an AzureVpcDnsLink resource:

   kubectl apply -f - <<EOF
   apiVersion: cloud-resources.kyma-project.io/v1beta1
   kind: AzureVpcDnsLink
   metadata:
     name: kyma-vpc-dns-link
   spec:
     remoteLinkName: kyma-vpc-dns-link
     remotePrivateDnsZone: $ZONE_ID
   EOF

2. Wait for the AzureVpcDnsLink to be in the Ready state.

   kubectl wait --for=condition=Ready azurevpcdnslink/kyma-vpc-dns-link --timeout=300s

   Once the newly created AzureVpcDnsLink is provisioned, you should see the following message:

   azurevpcdnslink.cloud-resources.kyma-project.io/kyma-vpc-dns-link condition met

3. Create a namespace and export its value as an environment variable:

   export NAMESPACE={NAMESPACE_NAME}
   kubectl create ns $NAMESPACE

4. Create a workload that queries previously created private DNS A record:

   kubectl apply -n $NAMESPACE -f - <<EOF
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: azurevpcdnslink-demo
   spec:
     selector:
       matchLabels:
         app: azurevpcdnslink-demo
     template:
       metadata:
         labels:
           app: azurevpcdnslink-demo
       spec:
         containers:
         - name: my-container
           resources:
             limits:
               memory: 512Mi
               cpu: "1"
             requests:
               memory: 256Mi
               cpu: "0.2"
           image: ubuntu
           command:
             - "/bin/bash"
             - "-c"
             - "--"
           args:
             - "apt update; apt install dnsutils -y; dig $RECORD_SET_NAME.$ZONE_NAME +noall +answer"
   EOF

   This workload should print the resolved IP address of the private DNS A record to stdout.

5. To print the logs of one of the workloads, run:

   kubectl logs -n $NAMESPACE `kubectl get pod -n $NAMESPACE -l app=azurevpcdnslink-demo -o=jsonpath='{.items[0].metadata.name}'`

   The command prints an output similar to the following:

   ...
   test.example.com. 30  IN      A       10.0.0.1

Next Steps

To clean up Kubernetes resources and your subscription resources, follow these steps:

1. Remove the created workloads:

   kubectl delete -n $NAMESPACE deployment azurevpcdnslink-demo

2. Remove the created AzureVpcDnsLink resource:

   kubectl delete -n $NAMESPACE azurevpcdnslink kyma-vpc-dns-link

3. Remove the created namespace:

   kubectl delete namespace $NAMESPACE

4. In your Microsoft Azure account, remove the created Azure resource group:

   az group delete --name $RESOURCE_GROUP_NAME --yes