Quickstart: Create an Azure private DNS zone using the Azure portal

This quickstart walks you through the steps to create your first private DNS zone and record using the Azure portal.

A DNS zone is used to host the DNS records for a particular domain. To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone. To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone. These are called linked virtual networks. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created, changes its' IP address, or is deleted.

In this quickstart, you learn how to:

  • Create a private DNS zone
  • Create a virtual network
  • Link the virtual network
  • Create test virtual machines
  • Create an additional DNS record
  • Test the private zone

If you don’t have an Azure subscription, create a free account before you begin.

If you prefer, you can complete this quickstart using Azure PowerShell or Azure CLI.

Create a private DNS zone

The following example creates a DNS zone called private.contoso.com in a resource group called MyAzureResourceGroup.

A DNS zone contains the DNS entries for a domain. To start hosting your domain in Azure DNS, you create a DNS zone for that domain name.

Private DNS zones search

  1. On the portal search bar, type private dns zones in the search text box and press Enter.

  2. Select Private DNS zone.

  3. Select Create private dns zone.

  4. On the Create Private DNS zone page, type or select the following values:

    • Resource group: Select Create new, enter MyAzureResourceGroup, and select OK. The resource group name must be unique within the Azure subscription.
    • Name: Type private.contoso.com for this example.
  5. For Resource group location, select West Central US.

  6. Select Review + Create.

  7. Select Create.

It may take a few minutes to create the zone.

Create a virtual network

  1. On the portal page upper left, select Create a resource, then Networking, then select Virtual network.
  2. For Name, type myAzureVNet.
  3. For Resource group, select MyAzureResourceGroup.
  4. For Location, select West Central US.
  5. Accept the other default values and select Create.

To link the private DNS zone to a virtual network, you create a virtual network link.

Add virtual network link

  1. Open the MyAzureResourceGroup resource group and select the private.contoso.com private zone.
  2. On the left pane, select Virtual network links.
  3. Select Add.
  4. Type myLink for the Link name.
  5. For Virtual network, select myAzureVNet.
  6. Select the Enable auto registration check box.
  7. Select OK.

Create the test virtual machines

Now, create two virtual machines so you can test your private DNS zone:

  1. On the portal page upper left, select Create a resource, and then select Windows Server 2016 Datacenter.

  2. Select MyAzureResourceGroup for the resource group.

  3. Type myVM01 - for the name of the virtual machine.

  4. Select West Central US for the Region.

  5. Type azureadmin for the administrator user name.

  6. Type Azure12345678 for the password and confirm the password.

  7. For Public inbound ports, select Allow selected ports, and then select RDP (3389) for Select inbound ports.

  8. Accept the other defaults for the page and then click Next: Disks >.

  9. Accept the defaults on the Disks page, then click Next: Networking >.

  10. Make sure that myAzureVNet is selected for the virtual network.

  11. Accept the other defaults for the page, and then click Next: Management >.

  12. For Boot diagnostics, select Off, accept the other defaults, and then select Review + create.

  13. Review the settings and then click Create.

Repeat these steps and create another virtual machine named myVM02.

It will take a few minutes for both virtual machines to complete.

Create an additional DNS record

The following example creates a record with the relative name db in the DNS Zone private.contoso.com, in resource group MyAzureResourceGroup. The fully qualified name of the record set is db.private.contoso.com. The record type is "A", with the IP address of myVM01.

  1. Open the MyAzureResourceGroup resource group and select the private.contoso.com private zone.
  2. Select + Record set.
  3. For Name, type db.
  4. For IP Address, type the IP address you see for myVM01. This should be auto registered when the virtual machine started.
  5. Select OK.

Test the private zone

Now you can test the name resolution for your private.contoso.com private zone.

Configure VMs to allow inbound ICMP

You can use the ping command to test name resolution. So, configure the firewall on both virtual machines to allow inbound ICMP packets.

  1. Connect to myVM01, and open a Windows PowerShell window with administrator privileges.

  2. Run the following command:

    New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
    

Repeat for myVM02.

Ping the VMs by name

  1. From the myVM02 Windows PowerShell command prompt, ping myVM01 using the automatically registered host name:
    ping myVM01.private.contoso.com
    
    You should see output that looks similar to this:
    PS C:\> ping myvm01.private.contoso.com
    
    Pinging myvm01.private.contoso.com [10.2.0.4] with 32 bytes of data:
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time=1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.2.0.4:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 1ms, Average = 0ms
    PS C:\>
    
  2. Now ping the db name you created previously:
    ping db.private.contoso.com
    
    You should see output that looks similar to this:
    PS C:\> ping db.private.contoso.com
    
    Pinging db.private.contoso.com [10.2.0.4] with 32 bytes of data:
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.2.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.2.0.4:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum = 0ms, Average = 0ms
    PS C:\>
    

Delete all resources

When no longer needed, delete the MyAzureResourceGroup resource group to delete the resources created in this quickstart.

Next steps