Azure Private Endpoint DNS configuration

It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

Existing Microsoft Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.

The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.

You can use the following options to configure your DNS settings for private endpoints:

  • Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
  • Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
  • Use your DNS forwarder (optional). You can use your DNS forwarder to override the DNS resolution for a private link resource. Create a DNS forwarding rule to use a private DNS zone on your DNS server hosted in a virtual network.

Important

It is not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service below.

Azure services DNS zone configuration

Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.

Your applications don't need to change the connection URL. When resolving to a public DNS service, the DNS server will resolve to your private endpoints. The process doesn't affect your existing applications.

Important

Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence.

For Azure services, use the recommended zone names as described in the following table:

Private link resource type / Subresource Private DNS zone name Public DNS zone forwarders
Azure Automation / (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker privatelink.azure-automation.net azure-automation.net
Azure SQL Database (Microsoft.Sql/servers) / sqlServer privatelink.database.windows.net database.windows.net
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Sql privatelink.sql.azuresynapse.net sql.azuresynapse.net
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand privatelink.sql.azuresynapse.net sqlondemand.azuresynapse.net
Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Dev privatelink.dev.azuresynapse.net dev.azuresynapse.net
Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) / Web privatelink.azuresynapse.net azuresynapse.net
Storage account (Microsoft.Storage/storageAccounts) / Blob (blob, blob_secondary) privatelink.blob.core.windows.net blob.core.windows.net
Storage account (Microsoft.Storage/storageAccounts) / Table (table, table_secondary) privatelink.table.core.windows.net table.core.windows.net
Storage account (Microsoft.Storage/storageAccounts) / Queue (queue, queue_secondary) privatelink.queue.core.windows.net queue.core.windows.net
Storage account (Microsoft.Storage/storageAccounts) / File (file, file_secondary) privatelink.file.core.windows.net file.core.windows.net
Storage account (Microsoft.Storage/storageAccounts) / Web (web, web_secondary) privatelink.web.core.windows.net web.core.windows.net
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) / Data Lake File System Gen2 (dfs, dfs_secondary) privatelink.dfs.core.windows.net dfs.core.windows.net
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / SQL privatelink.documents.azure.com documents.azure.com
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / MongoDB privatelink.mongo.cosmos.azure.com mongo.cosmos.azure.com
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Cassandra privatelink.cassandra.cosmos.azure.com cassandra.cosmos.azure.com
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Gremlin privatelink.gremlin.cosmos.azure.com gremlin.cosmos.azure.com
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Table privatelink.table.cosmos.azure.com table.cosmos.azure.com
Azure Batch (Microsoft.Batch/batchAccounts) / batch account privatelink.{region}.batch.azure.com {region}.batch.azure.com
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) / postgresqlServer privatelink.postgres.database.azure.com postgres.database.azure.com
Azure Database for MySQL (Microsoft.DBforMySQL/servers) / mysqlServer privatelink.mysql.database.azure.com mysql.database.azure.com
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) / mariadbServer privatelink.mariadb.database.azure.com mariadb.database.azure.com
Azure Key Vault (Microsoft.KeyVault/vaults) / vault privatelink.vaultcore.azure.net vault.azure.net
vaultcore.azure.net
Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) / management privatelink.{region}.azmk8s.io {region}.azmk8s.io
Azure Search (Microsoft.Search/searchServices) / searchService privatelink.search.windows.net search.windows.net
Azure Container Registry (Microsoft.ContainerRegistry/registries) / registry privatelink.azurecr.io azurecr.io
Azure App Configuration (Microsoft.AppConfiguration/configurationStores) / configurationStores privatelink.azconfig.io azconfig.io
Azure Backup (Microsoft.RecoveryServices/vaults) / AzureBackup privatelink.{region}.backup.windowsazure.com {region}.backup.windowsazure.com
Azure Site Recovery (Microsoft.RecoveryServices/vaults) / AzureSiteRecovery privatelink.siterecovery.windowsazure.com {region}.hypervrecoverymanager.windowsazure.com
Azure Event Hubs (Microsoft.EventHub/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net
Azure Service Bus (Microsoft.ServiceBus/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net
Azure IoT Hub (Microsoft.Devices/IotHubs) / iotHub privatelink.azure-devices.net
privatelink.servicebus.windows.net1
azure-devices.net
servicebus.windows.net
Azure Relay (Microsoft.Relay/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net
Azure Event Grid (Microsoft.EventGrid/topics) / topic privatelink.eventgrid.azure.net eventgrid.azure.net
Azure Event Grid (Microsoft.EventGrid/domains) / domain privatelink.eventgrid.azure.net eventgrid.azure.net
Azure Web Apps (Microsoft.Web/sites) / sites privatelink.azurewebsites.net azurewebsites.net
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) / amlworkspace privatelink.api.azureml.ms
privatelink.notebooks.azure.net
api.azureml.ms
notebooks.azure.net
instances.azureml.ms
aznbcontent.net
SignalR (Microsoft.SignalRService/SignalR) / signalR privatelink.service.signalr.net service.signalr.net
Azure Monitor (Microsoft.Insights/privateLinkScopes) / azuremonitor privatelink.monitor.azure.com
privatelink.oms.opinsights.azure.com
privatelink.ods.opinsights.azure.com
privatelink.agentsvc.azure-automation.net
privatelink.blob.core.windows.net
monitor.azure.com
oms.opinsights.azure.com
ods.opinsights.azure.com
agentsvc.azure-automation.net
blob.core.windows.net
Cognitive Services (Microsoft.CognitiveServices/accounts) / account privatelink.cognitiveservices.azure.com cognitiveservices.azure.com
Azure File Sync (Microsoft.StorageSync/storageSyncServices) / afs privatelink.afs.azure.net afs.azure.net
Azure Data Factory (Microsoft.DataFactory/factories) / dataFactory privatelink.datafactory.azure.net datafactory.azure.net
Azure Data Factory (Microsoft.DataFactory/factories) / portal privatelink.adf.azure.com adf.azure.com
Azure Cache for Redis (Microsoft.Cache/Redis) / redisCache privatelink.redis.cache.windows.net redis.cache.windows.net
Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) / redisCache privatelink.redisenterprise.cache.azure.net redisenterprise.cache.azure.net
Azure Purview (Microsoft.Purview) privatelink.purview.azure.com purview.azure.com
Azure Digital Twins (Microsoft.DigitalTwins) / digitalTwinsInstances privatelink.digitaltwins.azure.net digitaltwins.azure.net

1To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint

China

Private link resource type / Subresource Private DNS zone name Public DNS zone forwarders
Azure SQL Database (Microsoft.Sql/servers) / SQL Server privatelink.database.chinacloudapi.cn database.chinacloudapi.cn
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / SQL privatelink.documents.azure.cn documents.azure.cn
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / MongoDB privatelink.mongo.cosmos.azure.cn mongo.cosmos.azure.cn
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Cassandra privatelink.cassandra.cosmos.azure.cn cassandra.cosmos.azure.cn
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Gremlin privatelink.gremlin.cosmos.azure.cn gremlin.cosmos.azure.cn
Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) / Table privatelink.table.cosmos.azure.cn table.cosmos.azure.cn
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) / postgresqlServer privatelink.postgres.database.chinacloudapi.cn postgres.database.chinacloudapi.cn
Azure Database for MySQL (Microsoft.DBforMySQL/servers) / mysqlServer privatelink.mysql.database.chinacloudapi.cn mysql.database.chinacloudapi.cn
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) / mariadbServer privatelink.mariadb.database.chinacloudapi.cn mariadb.database.chinacloudapi.cn

DNS configuration scenarios

The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.

DNS is a critical component to make the application work correctly by successfully resolving the private endpoint IP address.

Based on your preferences, the following scenarios are available with DNS resolution integrated:

Virtual network workloads without custom DNS server

This configuration is appropriate for virtual network workloads without a custom DNS server. In this scenario, the client queries for the private endpoint IP address to the Azure-provided DNS service 168.63.129.16. Azure DNS will be responsible for DNS resolution of the private DNS zones.

Note

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration.

To configure properly, you need the following resources:

The following screenshot illustrates the DNS resolution sequence from virtual network workloads using the private DNS zone:

Single virtual network and Azure-provided DNS

You can extend this model to peered virtual networks associated to the same private endpoint. Add new virtual network links to the private DNS zone for all peered virtual networks.

Important

A single private DNS zone is required for this configuration. Creating multiple zones with the same name for different virtual networks would need manual operations to merge the DNS records.

Important

If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

In this scenario, there's a hub and spoke networking topology. The spoke networks share a private endpoint. The spoke virtual networks are linked to the same private DNS zone.

Hub and spoke with Azure-provided DNS

On-premises workloads using a DNS forwarder

For on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall.

The following scenario is for an on-premises network that has a DNS forwarder in Azure. This forwarder resolves DNS queries via a server-level forwarder to the Azure provided DNS 168.63.129.16.

Note

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration.

To configure properly, you need the following resources:

The following diagram illustrates the DNS resolution sequence from an on-premises network. The configuration uses a DNS forwarder deployed in Azure. The resolution is made by a private DNS zone linked to a virtual network:

On-premises using Azure DNS

This configuration can be extended for an on-premises network that already has a DNS solution in place.  The on-premises DNS solution is configured to forward DNS traffic to Azure DNS via a conditional forwarder. The conditional forwarder references the DNS forwarder deployed in Azure.

Note

 This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration

To configure properly, you need the following resources:

The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone linked to a virtual network.

Important

 The conditional forwarding must be made to the recommended public DNS zone forwarder. For example: database.windows.net instead of privatelink.database.windows.net.

On-premises forwarding to Azure DNS

Virtual network and on-premises workloads using a DNS forwarder

For workloads accessing a private endpoint from virtual and on-premises networks, use a DNS forwarder to resolve the Azure service public DNS zone deployed in Azure.

The following scenario is for an on-premises network with virtual networks in Azure. Both networks access the private endpoint located in a shared hub network.

This DNS forwarder is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS service 168.63.129.16.

Important

A single private DNS zone is required for this configuration. All client connections made from on-premises and peered virtual networks must  also use the same private DNS zone.

Note

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration.

To configure properly, you need the following resources:

The following diagram shows the DNS resolution for both networks, on-premises and virtual networks. The resolution is using a DNS forwarder. The resolution is made by a private DNS zone linked to a virtual network:

Hybrid scenario

Next steps