Create an Azure DNS private zone using Azure PowerShell
The Azure DNS Private Zone feature is currently in public preview.
This article walks you through the steps to create your first private DNS zone and record using Azure PowerShell.
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
A DNS zone is used to host the DNS records for a particular domain. To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone. To publish a private DNS zone to your virtual network, you specify the list of virtual networks that are allowed to resolve records within the zone. These are called linked virtual networks. When autoregistration is enabled, Azure DNS also updates the zone records whenever a virtual machine is created, changes its' IP address, or is deleted.
In this article, you learn how to:
- Create a DNS private zone
- Create test virtual machines
- Create an additional DNS record
- Test the private zone
Use Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. Cloud Shell lets you use either
PowerShell to work with Azure services. You can use the Cloud Shell pre-installed commands to run the code in this article without having to install anything on your local environment.
To launch Azure Cloud Shell:
|Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell.|
|Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser.|
|Select the Cloud Shell button on the top-right menu bar in the Azure portal.|
To run the code in this article in Azure Cloud Shell:
Launch Cloud Shell.
Select the Copy button on a code block to copy the code.
Paste the code into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS.
Press Enter to run the code.
If you don’t have an Azure subscription, create a free account before you begin.
If you prefer, you can complete this procedure using Azure CLI.
Create the resource group
First, create a resource group to contain the DNS zone:
New-AzResourceGroup -name MyAzureResourceGroup -location "eastus"
Create a DNS private zone
A DNS zone is created by using the
The following example creates a virtual network named myAzureVNet. Then it creates a DNS zone named private.contoso.com in the MyAzureResourceGroup resource group, links the DNS zone to the MyAzureVnet virtual network, and enables automatic registration.
Install-Module -Name Az.PrivateDns -force $backendSubnet = New-AzVirtualNetworkSubnetConfig -Name backendSubnet -AddressPrefix "10.2.0.0/24" $vnet = New-AzVirtualNetwork ` -ResourceGroupName MyAzureResourceGroup ` -Location eastus ` -Name myAzureVNet ` -AddressPrefix 10.2.0.0/16 ` -Subnet $backendSubnet $zone = New-AzPrivateDnsZone -Name private.contoso.com -ResourceGroupName MyAzureResourceGroup $link = New-AzPrivateDnsVirtualNetworkLink -ZoneName private.contoso.com ` -ResourceGroupName MyAzureResourceGroup -Name "mylink" ` -VirtualNetworkId $vnet.id -EnableRegistration
If you want to create a zone just for name resolution (no automatic hostname registration), you can omit the
List DNS private zones
By omitting the zone name from
Get-AzPrivateDnsZone, you can enumerate all zones in a resource group. This operation returns an array of zone objects.
$zones = Get-AzPrivateDnsZone -ResourceGroupName MyAzureResourceGroup $zones
By omitting both the zone name and the resource group name from
Get-AzPrivateDnsZone, you can enumerate all zones in the Azure subscription.
$zones = Get-AzPrivateDnsZone $zones
Create the test virtual machines
Now, create two virtual machines so you can test your private DNS zone:
New-AzVm ` -ResourceGroupName "myAzureResourceGroup" ` -Name "myVM01" ` -Location "East US" ` -subnetname backendSubnet ` -VirtualNetworkName "myAzureVnet" ` -addressprefix 10.2.0.0/24 ` -OpenPorts 3389 New-AzVm ` -ResourceGroupName "myAzureResourceGroup" ` -Name "myVM02" ` -Location "East US" ` -subnetname backendSubnet ` -VirtualNetworkName "myAzureVnet" ` -addressprefix 10.2.0.0/24 ` -OpenPorts 3389
This will take a few minutes to complete.
Create an additional DNS record
You create record sets by using the
New-AzPrivateDnsRecordSet cmdlet. The following example creates a record with the relative name db in the DNS Zone private.contoso.com, in resource group MyAzureResourceGroup. The fully qualified name of the record set is db.private.contoso.com. The record type is "A", with IP address "10.2.0.4", and the TTL is 3600 seconds.
New-AzPrivateDnsRecordSet -Name db -RecordType A -ZoneName private.contoso.com ` -ResourceGroupName MyAzureResourceGroup -Ttl 3600 ` -PrivateDnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address "10.2.0.4")
View DNS records
To list the DNS records in your zone, run:
Get-AzPrivateDnsRecordSet -ZoneName private.contoso.com -ResourceGroupName MyAzureResourceGroup
Test the private zone
Now you can test the name resolution for your private.contoso.com private zone.
Configure VMs to allow inbound ICMP
You can use the ping command to test name resolution. So, configure the firewall on both virtual machines to allow inbound ICMP packets.
Connect to myVM01, and open a Windows PowerShell window with administrator privileges.
Run the following command:
New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
Repeat for myVM02.
Ping the VMs by name
From the myVM02 Windows PowerShell command prompt, ping myVM01 using the automatically registered host name:
You should see output that looks similar to this:
PS C:\> ping myvm01.private.contoso.com Pinging myvm01.private.contoso.com [10.2.0.4] with 32 bytes of data: Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Reply from 10.2.0.4: bytes=32 time=1ms TTL=128 Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.2.0.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms PS C:\>
Now ping the db name you created previously:
You should see output that looks similar to this:
PS C:\> ping db.private.contoso.com Pinging db.private.contoso.com [10.2.0.4] with 32 bytes of data: Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Reply from 10.2.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.2.0.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms PS C:\>
Delete all resources
When no longer needed, delete the MyAzureResourceGroup resource group to delete the resources created in this article.
Remove-AzResourceGroup -Name MyAzureResourceGroup
In this article, you deployed a private DNS zone, created a DNS record, and tested the zone. Next, you can learn more about private DNS zones.