Back to Blog
Azure
3 min read

DNS Resolution with Azure Private Endpoints - The Complete Guide

AzurePrivate EndpointsDNSNetworkingHybrid

Private endpoints give you secure, private IP connectivity to Azure services. But without proper DNS configuration, your applications will still try to connect to public endpoints.

The Problem

When you create a private endpoint for a storage account, Azure creates:

  • A NIC in your VNET with a private IP
  • An entry in the associated private DNS zone

But your on-premises servers don't know about Azure Private DNS zones. They query your AD DNS servers, which resolve to public IPs.

The DNS Resolution Path

Understanding the resolution path is key:

  1. Client queries AD DNS server for mystorageaccount.blob.core.windows.net
  2. AD DNS checks local zones, finds nothing, forwards to Azure DNS (168.63.129.16) or internet
  3. Without private DNS: Resolves to public IP
  4. With private DNS: Azure DNS returns private IP from the linked zone

Setting Up Private DNS Zones

Create a zone for each service type:

resource "azurerm_private_dns_zone" "blob" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.dns.name
}

resource "azurerm_private_dns_zone" "keyvault" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = azurerm_resource_group.dns.name
}

resource "azurerm_private_dns_zone" "sql" {
  name                = "privatelink.database.windows.net"
  resource_group_name = azurerm_resource_group.dns.name
}

Linking Zones to VNETs

Each zone needs to be linked to VNETs where resolution is needed:

resource "azurerm_private_dns_zone_virtual_network_link" "blob" {
  name                  = "blob-to-hub"
  resource_group_name   = azurerm_resource_group.dns.name
  private_dns_zone_name = azurerm_private_dns_zone.blob.name
  virtual_network_id    = azurerm_virtual_network.hub.id
  registration_enabled  = false
}

On-Premises Resolution

For hybrid environments, configure conditional forwarders on AD DNS:

# Add conditional forwarders to Azure DNS
$zones = @(
  "privatelink.blob.core.windows.net",
  "privatelink.vaultcore.azure.net",
  "privatelink.database.windows.net",
  "privatelink.file.core.windows.net"
)

foreach ($zone in $zones) {
  Add-DnsServerConditionalForwarderZone `
    -Name $zone `
    -MasterServers 168.63.129.16
}

But wait - 168.63.129.16 is only accessible from within Azure. You need a DNS forwarder VM.

DNS Forwarder Architecture

Deploy a VM (or two for HA) in Azure to forward queries:

On-Prem Client
    ↓
AD DNS Server (conditional forwarder)
    ↓
Azure DNS Forwarder VM (10.0.1.4)
    ↓
Azure DNS (168.63.129.16)
    ↓
Private DNS Zone → Private IP

Simple DNS Forwarder Setup

On a Windows VM in Azure:

# Install DNS Server role
Install-WindowsFeature -Name DNS -IncludeManagementTools

# Configure forwarder to Azure DNS
Add-DnsServerForwarder -IPAddress 168.63.129.16

Then update your on-premises conditional forwarders to point to this VM.

Testing Resolution

# From on-premises
nslookup mystorageaccount.blob.core.windows.net
# Should return private IP like 10.0.2.5

# Verify it's not the public IP
nslookup mystorageaccount.blob.core.windows.net 8.8.8.8
# This shows public IP - don't use this path!

Azure DNS Private Resolver

For a managed solution, use Azure DNS Private Resolver (preview in some regions):

resource "azurerm_private_dns_resolver" "this" {
  name                = "dns-resolver"
  resource_group_name = azurerm_resource_group.dns.name
  location            = azurerm_resource_group.dns.location
  virtual_network_id  = azurerm_virtual_network.hub.id
}

resource "azurerm_private_dns_resolver_inbound_endpoint" "this" {
  name                    = "inbound"
  private_dns_resolver_id = azurerm_private_dns_resolver.this.id
  location                = azurerm_resource_group.dns.location

  ip_configurations {
    private_ip_allocation_method = "Dynamic"
    subnet_id                    = azurerm_subnet.dns_inbound.id
  }
}

Common Issues

Resolution works in Azure but not on-premises:

  • Check conditional forwarder configuration
  • Verify forwarder VM can reach 168.63.129.16
  • Ensure private DNS zone is linked to forwarder's VNET

Intermittent failures:

  • DNS caching - flush cache after changes
  • TTL issues - wait for old records to expire

Wrong IP returned:

  • Check private endpoint is in Approved state
  • Verify A record exists in private DNS zone

Need help with Azure networking? Get in touch - we help organisations design secure hybrid connectivity.

Previous
AVD Application Group Assignments in Terraform
Next
Domain Joining Azure Storage Accounts via DevOps Pipeline

Need help with your Azure environment?

Get in touch for a free consultation.

Get in Touch