Configure a private DNS zone

At this point, you have redeployed your Azure Spring Apps service in a virtual network, along with all of its apps. As the next step, to implement its connectivity without relying on a public endpoint, you need to set up a private DNS service for your apps so they are discoverable within the virtual network. You can use the following guidance to perform this task:

Access your application in a private network.

Step by step guidance

Start by identifying the IP address used by your Spring Apps service. You can accomplish this by querying for the internal load balancer IP address of the service runtime subnet.

SERVICE_RUNTIME_RG=$(az spring show \
    --resource-group $RESOURCE_GROUP \
    --name $SPRING_APPS_SERVICE_VNET \
    --query "properties.networkProfile.serviceRuntimeNetworkResourceGroup" \
    --output tsv)
   
IP_ADDRESS=$(az network lb frontend-ip list \
    --lb-name kubernetes-internal \
    --resource-group $SERVICE_RUNTIME_RG \
    --query "[0].privateIPAddress" \
    --output tsv)

Notice that Azure Spring Apps uses a separate resource group for resources. You can view each resource as they are created.

Next, create a private DNS zone to resolve name resolution requests targeting the private.azuremicroservices.io namespace to this internal IP address.
```
az network private-dns zone create \
    --resource-group $RESOURCE_GROUP \
    --name private.azuremicroservices.io
```

Link this private DNS zone to your virtual network.

az network private-dns link vnet create \
    --resource-group $RESOURCE_GROUP \
    --name azure-spring-apps-dns-link \
    --zone-name private.azuremicroservices.io \
    --virtual-network $VIRTUAL_NETWORK_NAME \
    --registration-enabled false

Now you need to create an A DNS record that will resolve the name associated with your Azure Spring Apps service to the private IP address you identified earlier in this task.
```
az network private-dns record-set a add-record \
    --resource-group $RESOURCE_GROUP \
    --zone-name private.azuremicroservices.io \
    --record-set-name '*' \
    --ipv4-address $IP_ADDRESS
```
In case you don’t want to use a wildcard * record for the A DNS record, you will need to create 3 A DNS records. The 3 records need to be created for asaInstanceName.private.azuremicroservices.io, asaInstanceName-yourAppName.private.azuremicroservices.io and asaInstanceName.svc.private.azuremicroservices.io with the load balancer IP address for each as the IP.
Lastly you need to update your api-gateway and admin-service apps to retrieve the fully qualified domain name (FQDN) on your private DNS zone.
```
az spring app update \
    --resource-group $RESOURCE_GROUP \
    --name $API_GATEWAY \
    --service $SPRING_APPS_SERVICE_VNET \
    --assign-endpoint true

az spring app update \
    --resource-group $RESOURCE_GROUP \
    --name $ADMIN_SERVER \
    --service $SPRING_APPS_SERVICE_VNET \
    --assign-endpoint true
```
If you try connecting at this point to the spring petclinic application via the api-gateway and admin-service endpoints, you will not be able to do so, since these endpoints are currently only available within the virtual network. You could test such connectivity if you had an Azure VM connected to that virtual network. Later in this exercise, you will expose these two endpoints by using an Azure Application Gateway, which will allow you to test connectivity from the internet. In the next lab a jump box in the network will be created as well for executing some specific steps. In case you see errors in your apps you can already execute the steps for provisioning this jump box to test connectivity within the VNet to your apps.

Notice that you will be unable to use log streaming at this time. You will need a VM in the same virtual network to be able to do so.