Overview
Private DNS zones enable you to host DNS records that are only resolvable within your virtual networks. When integrated with Azure Virtual WAN, these zones become centrally accessible across all hub‑and‑spoke topologies, simplifying name resolution for resources connected via the WAN.
Prerequisites
- Azure subscription with Owner or Network Contributor role.
- Existing Virtual WAN and one or more hubs.
- Permissions to create Private DNS zones and virtual network links.
Create a Private DNS Zone
Use the Azure portal, CLI, or PowerShell. Example using Azure CLI:
az network private-dns zone create \
--resource-group MyResourceGroup \
--name contoso.internalLink the Zone to Virtual WAN
Link the private DNS zone to each hub VNet that requires resolution.
az network private-dns link vnet create \
--resource-group MyResourceGroup \
--zone-name contoso.internal \
--name HubVNetLink \
--virtual-network /subscriptions/{subId}/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/HubVNet \
--registration-enabled trueConfigure DNS Records
Add A, CNAME, or other record types to the zone:
az network private-dns record-set a add-record \
--resource-group MyResourceGroup \
--zone-name contoso.internal \
--record-set-name web01 \
--ipv4-address 10.1.0.4Validation & Monitoring
Verify DNS resolution from a VM within a hub network:
nslookup web01.contoso.internal 168.63.129.16Use Azure Monitor to track DNS query metrics:
az monitor metrics list \
--resource /subscriptions/{subId}/resourceGroups/MyResourceGroup/providers/Microsoft.Network/privateDnsZones/contoso.internal \
--metric "DnsQueries"Best Practices
| Recommendation | Reason |
|---|---|
| Enable auto‑registration for hub VNets | Ensures new VMs automatically populate DNS records. |
| Use a dedicated resource group for DNS zones | Simplifies RBAC management. |
| Implement split‑horizon DNS only when required | Avoids unnecessary complexity. |
API Reference
REST endpoint to manage private DNS zones:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/privateDnsZones?api-version=2023-09-01For full schema see the Azure Private DNS REST API.