Adding a Private DNS A Record to an existing zone in another subscription

[johnpetersjr]

Hello,

I am using Bicep to create Enterprise Redis Caches (Microsoft.Cache/redisEnterprise) and then attaching a private endpoint to that Redis Cache. Works great.

But - I want to then add an A record to our privatelink DNS Zone that is already existing, and, unfortunately, in another scope (another subscription inside my tenant).

I'm having a heck of a time figuring out how to do this -- I see some references to writing a module, and putting it in another file, but I'm missing something on how to tie that all together.

Here is our working pseudo-code:

resource redisEnterpriseCache 'Microsoft.Cache/redisEnterprise@2022-01-01' = {
  name: redisEnterpriseName
  location: redisEnterpriseLocation
  sku: {
    capacity: skuCapacity
    name: skuName
  }
  properties: {
    minimumTlsVersion: '1.2'
  }
}

resource redisEnterprisePrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-03-01' = {
  name: '${redisEnterpriseName}-privatelink'
  location: redisEnterpriseLocation
  properties: {
    subnet: {
      id: subnetId
    }
    privateLinkServiceConnections: [
      {
        name: 'redisEnterpriseCacheprivatelink'
        properties: {
          privateLinkServiceId: redisEnterpriseCache.id
          groupIds: [
            'redisEnterprise'
          ]
        }
      }
    ]
  }
}

And here is the bit that doesn't work, trying to add an A Record in another scope that I'm stuck on:

resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
  name: 'privatelink.redisenterprise.cache.azure.net'
  scope: resourceGroup('someotherresourcegroupinanothersubscription')
}

resource privateDNSRecord 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
  name: redisEnterpriseName
  parent: privateDNSZone
  properties: {
    aRecords: [
      {
        ipv4Address: '10.10.10.10'
      }
    ]
  }
}

It doesn't like this, and throws this error:

A resource's computed scope must match that of the Bicep file for it to be deployable. 
This resource's scope is computed from the "scope" property value assigned to ancestor 
resource "privateDNSZone". You must use modules to deploy resources to a different scope.bicep(BCP165)

Likely because I'm trying to get bicep to use an existing zone in a different scope... any clues on how to fix this? I saw this link but I didn't quite grasp it...

P.S. extra credit to show me how to get the ipv4Address out of the redisEnterprisePrivateEndpoint, but I think I can figure that out on my own once this existing zone thing gets sorted... Thanks in advance for any pointers!!

[GABRIELNGBTUC]

I would avoid trying to update the zone manually and use private endpoint dns zone groups to update the DNS zone instead. This would also solve your problem of "How do I get the PE IP?".

From where you are, after creating the private endpoint , retrieve the private dns zone resource:

resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
  name: 'privatelink.redisenterprise.cache.azure.net'
  scope: resourceGroup('sub_id', 'rg-name')
}

After that, you can create a private dns zone group with something similar to this:

resource pe_dns_zone_group 'Microsoft.Network/privateDnsZones/privateDnsZoneGroups@2020-06-01' = {
    name: privateEndpointPrivateGroupName
    parent: redisEnterprisePrivateEndpoint
    properties: {
      privateDnsZoneConfigs: [
        {
          name: privateEndpointPrivateGroupName
          properties: {
            privateDnsZoneId: privateDNSZone.id   
          }
        }
      ]
    }
  }

The main advantage of using the zone group is that the scope of the deployment is still the same as the one used by your private endpoint and DNS records are managed automatically.

This means that on creation, the record will be created automatically in the PDNSZ and on deletion of your private endpoint, your zone will be cleaned up automatically as well.

[johnpetersjr]

Absolutely perfect. Thanks for this solution! One small fix, but easy enough to spot, the API date you used for privateDnsZoneGroups is:

resource pe_dns_zone_group 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-04-01'

Other than that, your code worked beautifully, it'll be really nice not having to worry about IPs any more! I've been burned a couple times when Azure changes those IPs without notification...

Have a great day!