Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Accessing *.PowerBI.com From A Landing Zone #1212

Open
AErmie opened this issue Dec 6, 2024 · 1 comment
Open

Bug Report: Accessing *.PowerBI.com From A Landing Zone #1212

AErmie opened this issue Dec 6, 2024 · 1 comment

Comments

@AErmie
Copy link

AErmie commented Dec 6, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

  • terraform: 1.9.7
  • azure provider: 3.116.0
  • module: 6.1.0

Description

Describe the bug

As part of the CAF deployment, a Private DNS Zone is created for privatelink.analysis.windows.net. Custom CNAME records need to be added to this Private DNS Zone in order to resolve any PowerBI.com site. There is no "*.powerbi.com" CNAME for the Canada endpoint of PowerBI.com.

Steps to Reproduce

  1. Deploy the CAF
  2. Deploy Private DNS Resolver in a spoke connected to the vWAN Hub
  3. Update the CAF deployment to link the Private DNS Zones to the Private DNS Resolver VNet
  4. Configure Azure Firewall as a DNS Proxy, directing traffic to the Private DNS Resolver
  5. Deploy an Azure Landing Zone spoke, connected to the vWAN Hub (ensure that custom DNS is configured to route DNS requests to the Azure Firewall)
  6. Deploy a VM inside the spoke VNet
  7. Attempt to access PowerBI.com, and/or deploy the PowerBI Data Gateway
  8. Unable to reach PowerBI.com

Screenshots

Additional context

Similar to the following reporting GitHub Issue (Bug Report app.powerbi.com), to resolve this issue we had to create 2 custom DNS CNAME records in the privatelink.analysis.windows.net Private DNS Zone.

However, when using https://www.digwebinterface.com/ to resolve the public DNS records for app.powerbi.com (specifically from Canada), we get the following output:

app.powerbi.com.	1898	IN	CNAME	app.privatelink.analysis.windows.net.
app.privatelink.analysis.windows.net. 272 IN CNAME 997de1ee-c405-4364-8b90-eb6f601a6af2.trafficmanager.net.
997de1ee-c405-4364-8b90-eb6f601a6af2.trafficmanager.net. 300 IN	CNAME app-pbi-wfe-canada-central-v3.pbi-wfe-canada-central-v3-ase.p.azurewebsites.net.
app-pbi-wfe-canada-central-v3.pbi-wfe-canada-central-v3-ase.p.azurewebsites.net. 30 IN CNAME waws-prod-yt1-0eca9383.sip.p.azurewebsites.windows.net.
waws-prod-yt1-0eca9383.sip.p.azurewebsites.windows.net.	1898 IN	A 52.228.81.160

The same thing applies to the api.powerbi.com endpoint, which has the following output (again, specifically from Canada):

api.powerbi.com.	3600	IN	CNAME	api.privatelink.analysis.windows.net.
api.privatelink.analysis.windows.net. 120 IN CNAME 03be66dd-3487-4b89-a8d9-89ade6381a91.trafficmanager.net.
03be66dd-3487-4b89-a8d9-89ade6381a91.trafficmanager.net. 300 IN	CNAME wabi-canada-central-redirect.analysis.windows.net.
wabi-canada-central-redirect.analysis.windows.net. 120 IN CNAME	wabi-canada-central-comp-ev2.canadacentral.cloudapp.azure.com.
wabi-canada-central-comp-ev2.canadacentral.cloudapp.azure.com. 10 IN A 52.228.81.168

So unlike the referenced GitHub Issue, which shows a CNAME of pbi-wfe-us-north-central.powerbi.com after the Traffic Manager CNAME, there is no *.powerbi.com CNAME record in the daisy-chain/path when resolving PowerBI.com from Canada.

Per the referenced GitHub Issue, the daisy-chain should be...

  1. app.powerbi.com > app.privatelink.analysis.windows.net
  2. app.privatelink.analysis.windows.net > *.trafficmanager.net
  3. *.trafficmanager.net > pbi-wfe-{REGION-BASED}.powerbi.com
  4. pbi-wfe-{REGION-BASED}.powerbi.com > pbi-wfe-{REGION-BASED}-ase.powerbi.com
  5. pbi-wfe-{REGION-BASED}-ase.powerbi.com > app-pbi-wfe-{REGION-BASED}.pbi-wfe-{REGION-BASED}-ase.p.azurewebsites.net
  6. app-pbi-wfe-{REGION-BASED}.pbi-wfe-{REGION-BASED}-ase.p.azurewebsites.net > *.sip.p.azurewebsites.windows.net
  7. *.sip.p.azurewebsites.windows.net> *.cloudapp.net
  8. *.cloudapp.net > IP Address

When we check the path/chain for Canada, there is no {REGION-BASED}.powerbi.com CNAME between Traffic Manager and the ASE.

DNS CNAME Records

We had to create the following CNAME records in the privatelink.analysis.windows.net Private DNS Zone:

NAME: app.privatelink.analysis.windows.net
TYPE: CNAME
ALIAS: app-pbi-wfe-canada-central-v3.pbi-wfe-canada-central-v3-ase.p.azurewebsites.net
---
NAME: api.privatelink.analysis.windows.net
TYPE: CNAME
ALIAS: wabi-canada-central-redirect.analysis.windows.net

In our opinion, this is something that the PowerBI Product Group should be consulted on, since this is directly related to how PowerBI is hosted and accessible from Canada.
@AErmie AErmie mentioned this issue Dec 10, 2024
Closed
@anwarnk
Copy link

anwarnk commented Dec 20, 2024
edited
Loading

This will resolve your problem - https://learn.microsoft.com/en-us/azure/dns/private-dns-fallback, we have tested it and waiting for it to go into GA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AErmie @anwarnk