feat: adding switch for internet fallback on Private DNS zones

[picccard]

Overview/Summary

At the start of 2025 there was added the option to enable "Fallback to internet" for private DNS zones for Private Link resources.
This PR allows this option to be set for all private DNS zones.

Related Issues/Work Items

• https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies-FAQ#private-dns-zone-issues
• might resolve Implement AMPLS into Landing Zone #720

This PR fixes/adds/changes/removes

1. Allows consumers to enable "Fallback to internet" on privatelink-dns-zones.

Breaking Changes

Default will not change.

⚠️ However if consumers use the parameter parPrivateDnsZones to deploy any any non-privatelink-zone (e.g. contoso.internal), vnet links for these zones will fail, because resolutionPolicy is only allowed on privatelink-zones.

Here is an example:

parPrivateDnsZones: [
  'privatelink.postgres.database.azure.com'
  'privatelink.mysql.database.azure.com'
  'contoso.internal'
]

Testing Evidence

As part of this Pull Request I have

• Read the Contribution Guide and ensured this PR is compliant with the guide
• Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
• Checked for duplicate Pull Requests
• Associated it with relevant GitHub Issues
• (ALZ Bicep Core Team Only) Associated it with relevant ADO Items
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Updated one or more of the following tests (if required)
  • Unit
  • Linting
  • E2E (End-To-End)
  • ValidateAzCloud (Base validation in Azure Cloud)
  • ValidateMcCloud (Base validation in Azure China Cloud)
• Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Wiki Docs etc.)
• If relevant, created or updated Code Tours here

[oZakari]

Thanks @picccard! Let me know when you're ready for review and can get this merged in.

[picccard]

@oZakari this is ready for review now. Test complete and screenshot added.

⚠️ See breaking changes, the default ALZ implementation is fine, but there could be edge cases where consumers use their own private-dns-zones → leading to deployment failure

This could be fixed by splitting the bicep module modPrivateDnsZonesAVM into two modules, one module for parPrivateDnsZones filter zone-name contains 'privatelink', and one for zone-name not-contains 'privatelink'.

OR the AVD module should ignore the resolutionPolicy property for non-privatelink-zones, as its known that will throw errors during deployment...

[oZakari]

Thanks for letting me know @picccard. Will leave a notice in the release notes for this and we can make changes on the AVM side if we get enough customers running into issues.

[oZakari]

/azp run validateazcloud

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[oZakari]

/azp run validateazcloud

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[oZakari]

Code looks good for this one from first glance, just need to sort out why the tests are failing in the backend. I think it's related to a security update with checking out forks, but should be able to merge this in shortly.

[KiZach]

Will this also be enabled for Azure VWAN network deployment, if the option 'parVirtualNetworkResourceIdsToLinkTo' is specified in the 'vwanConnectivity.parameters.all.json' parameter file?