Please help me in my quest for knowledge...
I trying to achive DNS resolving for services in Azure from OnPrem. We have a hub and spoke architecture within Azure. We have a central hub, which has a DNS forwarder installed. This DNS forward forwards all DNS queries to 168.63.129.16. We created a conditional forwarding on our OnPrem dns servers to forward all requests for Database.windows.net to the DNS forwarder in Azure.
All as explained in following article: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
We have created private links for our SAAS deployments within the Spokes. As we have a multitude of SAAS deployments, we have many different privatelink.Database.windows.net dns zones, while we can only link one privatelink.database.windows.net zone to our Hub vNet where the forwarder lives. So using this procedure we can only resolve records from a single default private DNS zone, while we should be able to resolve all the required ones.
From there the idea came to create a custom Private DNS zone, for each project. The Private DNS name would then be project.company.xyz. OnPrem DNS we would create a single conditional forwarder which forwards all queries for company.xyz to the dns forwarder in Azure. All would be resolved as expected, however this does not work because the custom domain is not represented in the TLS certificate, hence failing to connect to the private IP: https://journeyofthegeek.com/2020/03/06/azure-private-link-and-dns-part-2/ see scenario 6.
I have read many articles the last couple of days around the concepts of Private DNS zones, Private Links and Private Endpoints, however failing to fulling understand the complete picture. It comes to me that it would be logic that privatelink.database.windows.net can only be linked once, because the zone has to be unique, which it isn't. I would also presume that the zone privatelink.database.windows.net can only be resolved from within the vNet to which it belongs, hence why a unique Custom Private DNS zone needs to be created.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 74%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)