Configure DNS for Azure Private Endpoint

This article explains how to configure Domain Name System (DNS) resolution for Azure Private Endpoints. Private Endpoints provide a secure and private way to access Azure PaaS services and your own services hosted in Azure. Proper DNS configuration is crucial for seamless connectivity to these services via their private IP addresses.

Private Endpoint DNS Concepts

When you create a private endpoint for a service, a new network interface (NIC) is created in your virtual network. This NIC is assigned a private IP address from your subnet. For clients to connect to the service using its standard FQDN (e.g., storageaccount.blob.core.windows.net), DNS resolution needs to map this FQDN to the private IP address of the private endpoint.

Without proper DNS configuration, clients will attempt to resolve the FQDN to a public IP address, which will not be routable or accessible from your virtual network if network security groups or firewalls are blocking public access.

DNS Resolution Methods

There are several common methods to configure DNS for private endpoints:

1. Azure Private DNS Zone

This is the recommended and most integrated method. Azure Private DNS zones allow you to host your DNS domains in Azure without having to implement a custom DNS solution. For private endpoints, you create a Private DNS Zone that matches the internal DNS suffix of the Azure service (e.g., privatelink.blob.core.windows.net). Then, you link this zone to your virtual network where the private endpoint resides. Azure automatically creates an A record in the Private DNS Zone that maps the service's FQDN to the private IP address of the private endpoint.

Benefits: Simplified management, automatic record creation, highly available.

2. On-premises DNS Server

If you have an existing on-premises DNS infrastructure, you can configure conditional forwarders on your on-premises DNS servers. These forwarders will send queries for the internal DNS suffix (e.g., *.privatelink.core.windows.net) to Azure DNS. To enable this, you need to deploy Azure DNS Private Resolver or virtual network DNS servers in Azure that can forward these queries to your on-premises DNS servers.

Considerations: Requires hybrid connectivity (VPN or ExpressRoute).

3. Azure DNS Forwarder

You can deploy DNS forwarder virtual machines within your Azure virtual network. These VMs are configured to use Azure-provided DNS (168.63.129.16) for external resolution and to forward queries for your private endpoint domains to a Private DNS Zone or other designated DNS servers. This approach provides more control but adds management overhead.

Azure DNS Private Resolver

For a more robust and managed solution for hybrid DNS resolution, consider using Azure DNS Private Resolver. It enables DNS resolution between your virtual networks and on-premises networks without the need to deploy and manage DNS forwarder VMs.

Example Scenario

Let's say you have a Storage Account named mystorageaccount in Azure. You've created a private endpoint for this storage account in your virtual network VNet1. The private endpoint is assigned the IP address 10.0.0.5.

  • Service FQDN: mystorageaccount.blob.core.windows.net
  • Private Endpoint IP: 10.0.0.5
  • Desired Resolution: When a VM in VNet1 queries mystorageaccount.blob.core.windows.net, it should resolve to 10.0.0.5.

Using Azure Private DNS Zone:

  1. Create a Private DNS Zone named privatelink.blob.core.windows.net.
  2. Link this zone to VNet1.
  3. Azure automatically creates an A record: mystorageaccount pointing to 10.0.0.5.

Steps to Configure (Azure Private DNS Zone Method)

  1. Identify the Service's Internal DNS Suffix: This is typically found in the private endpoint's network configuration details. For Azure Storage, it often looks like privatelink.blob.core.windows.net.
  2. Create an Azure Private DNS Zone:
    • Navigate to the Azure portal.
    • Search for "Private DNS zones" and select it.
    • Click "Create".
    • Enter the Name of the zone (e.g., privatelink.blob.core.windows.net).
    • Select your Subscription and Resource group.
    • Click "Review + create" then "Create".
  3. Link the Private DNS Zone to Your Virtual Network:
    • Open your newly created Private DNS Zone.
    • Under "Settings", click "Virtual network links".
    • Click "Add".
    • Provide a Link name (e.g., VNet1Link).
    • Select your Subscription and the Virtual network (e.g., VNet1).
    • Ensure "Enable registration" is checked (this allows auto-registration of records when using private endpoints).
    • Click "OK".
  4. Verify Private Endpoint Creation: Ensure your private endpoint is successfully created and has a private IP assigned.
  5. Test DNS Resolution: From a VM within the linked virtual network, use nslookup or dig to query the service's FQDN. It should resolve to the private IP address of the private endpoint. 
    nslookup mystorageaccount.blob.core.windows.net

Troubleshooting

  • Incorrect FQDN: Double-check the exact FQDN of the service you are trying to access.
  • Missing Private DNS Zone Link: Ensure the Private DNS Zone is correctly linked to the virtual network where your client resides.
  • "Enable registration" Not Checked: For automatic record creation with private endpoints, this must be enabled on the virtual network link.
  • Conflicting DNS Records: If you have other DNS configurations (e.g., custom DNS servers, other forwarders), ensure they are not interfering.
  • Network Security Groups (NSGs): While DNS resolution is a network-layer function, ensure your NSGs allow DNS traffic (UDP/TCP port 53) if you are using custom DNS servers.

By following these steps, you can ensure reliable and secure access to your Azure services through Private Endpoints.