💻 <azfront.cloud/>
1 min read

Azure Private Endpoints and DNS — the essentials

#Azure #Networking #Tutorial

The DNS piece most people miss

When you create a Private Endpoint, Azure creates a NIC with a private IP. But your apps still resolve the public FQDN. The trick is DNS.

Check what a storage account resolves to publicly:

nslookup.sh
nslookup mystorage.blob.core.windows.net

It returns a CNAME to mystorage.privatelink.blob.core.windows.net. If you have a Private DNS Zone for privatelink.blob.core.windows.net linked to your VNet, it resolves to the private IP.

Create the DNS zone and link:

dns_zone.sh
az network private-dns zone create -g myRG -n privatelink.blob.core.windows.net
az network private-dns link vnet create -g myRG -n myLink \
  --zone-name privatelink.blob.core.windows.net --virtual-network myVnet --registration-enabled false

The DNS record is created automatically when you create the Private Endpoint with the zone group.

Tip: Centralize Private DNS Zones in a hub subscription and link them to spoke VNets.

Back to all posts