Azure Documentation

Integrating Azure Private Link with Azure Private DNS Zones

This document provides a comprehensive guide on how to integrate Azure Private Link with Azure Private DNS Zones. This integration is crucial for securely and reliably connecting your virtual networks to Azure PaaS services using private endpoints.

Introduction to Private Link and Private DNS

Azure Private Link enables you to access Azure PaaS services (like Azure Storage, Azure SQL Database) and customer-owned Azure resources over a private endpoint in your virtual network. A private endpoint uses a private IP address from your virtual network, effectively bringing the service into your private network.

Azure Private DNS Zones provide a reliable and secure DNS service to manage and resolve domain names in a virtual network without needing to deploy a custom DNS solution. When you create a private endpoint, Azure automatically associates it with a Private DNS Zone for the specific service, allowing for seamless resolution.

Key Benefits of Integration

  • Secure Access: Traffic stays within the Azure backbone network.
  • Simplified DNS Management: Automatic DNS record creation and management for private endpoints.
  • Consistent Naming: Resolve service endpoints using their standard FQDNs.
  • Enhanced Security Posture: Reduces exposure of services to the public internet.

Steps for Integration

The integration typically involves the following steps:

  1. Create a Private Endpoint:

    When you provision a private endpoint for a supported Azure service, you will have the option to configure DNS settings.

    During the creation of a private endpoint, you can choose to:

    • Integrate with Private DNS zone: This is the recommended and most common option. Azure will automatically create or use an existing Private DNS Zone.
    • Do not integrate with Private DNS zone: This option requires you to manually manage DNS records.

    For automatic integration, Azure uses a specific naming convention for the Private DNS Zone based on the service. For example, for Azure Storage, it might be privatelink.blob.core.windows.net.

  2. Configure Private DNS Zone:

    If you choose automatic integration, Azure handles this. If you choose manual management or need to customize the DNS zone, you can create and configure a Private DNS Zone resource in your Azure subscription.

    Within the Private DNS Zone, a record set (usually an A record) will be created for your private endpoint, mapping the service's FQDN to the private IP address of the endpoint.

    ; Zone file for privatelink.blob.core.windows.net
@       3600    IN      SOA     azure-dns-int. 
@       3600    IN      NS      ns1-01.azure-dns.com.

yourstorageaccount.privatelink.blob.core.windows.net. 3600 IN A 10.0.0.4

  3. Link Virtual Network to Private DNS Zone:

    To ensure that resources within your virtual network can resolve the private endpoint's DNS name, you must link your virtual network to the Private DNS Zone. This is done within the Azure portal or via Azure CLI/PowerShell.

    Note: If you chose automatic integration during private endpoint creation, this VNet linking step is often performed automatically by Azure. However, it's good practice to verify it.

  4. Test DNS Resolution:

    After the configurations are in place, you can test DNS resolution from a virtual machine within your linked virtual network. Use tools like nslookup or dig to verify that the service's FQDN resolves to the private IP address of the private endpoint.

    PS C:\> nslookup yourstorageaccount.privatelink.blob.core.windows.net
Server:         168.63.129.16
Address:        168.63.129.16#53

Name:   yourstorageaccount.privatelink.blob.core.windows.net
Address: 10.0.0.4

Considerations for Different Services

While the core principles remain the same, the specific Private DNS Zone names and FQDNs vary by service:

  • Azure Storage: privatelink.blob.core.windows.net, privatelink.file.core.windows.net, etc.
  • Azure SQL Database: privatelink.database.windows.net
  • Azure Key Vault: privatelink.vaultcore.azure.net
  • Azure Cosmos DB: privatelink.cosmos.azure.com
Important: Always refer to the specific documentation for the Azure service you are using for the exact FQDN and expected Private DNS Zone name.

Troubleshooting Common Issues

  • Incorrect DNS Resolution: Ensure the virtual network is correctly linked to the Private DNS Zone. Verify that the A record exists and points to the correct private IP.
  • Firewall or NSG Blocking: Although traffic stays on the Azure backbone, Network Security Groups (NSGs) applied to the subnet hosting the private endpoint can block traffic. Ensure necessary ports are open.
  • Service Endpoint Configuration: Double-check that the private endpoint is configured for the correct resource and type.
Tip: Use Azure Network Watcher's IP Flow Verify and Connection Troubleshoot tools to diagnose connectivity issues between your VM and the private endpoint.

Conclusion

Integrating Azure Private Link with Azure Private DNS Zones is a fundamental step towards securing your cloud infrastructure. By leveraging this native integration, you can simplify DNS management, enhance security, and ensure reliable connectivity to Azure services.