Updating private dns zone use for private endpoints

Updating private dns zone use for private endpoints

Author: JackStromberg

articles/application-gateway/key-vault-certs.md

@@ -80,6 +80,9 @@ When you're using a restricted Key Vault, use the following steps to configure A
 > [!TIP]
 > Steps 1-3 are not required if your Key Vault has a Private Endpoint enabled. The application gateway can access the Key Vault using the private IP address.
 
+> [!Note]
+> If using Private Endpoints, you must associate the privatelink.vaultcore.azure.net private DNS zone to the virtual network containing Application Gateway. Custom DNS may be used on the virtual network instead of Azure DNS provided resolvers, however the private dns zone will need to remain associated to the virtual network as well.
+
 1. In the Azure portal, in your Key Vault, select **Networking**.
 1. On the **Firewalls and virtual networks** tab, select **Selected networks**.
 1. For **Virtual networks**, select **+ Add existing virtual networks**, and then add the virtual network and subnet for your Application Gateway instance. During the process, also configure the `Microsoft.KeyVault` service endpoint by selecting its checkbox.