You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/private-link/private-endpoint-dns-integration.md
+49-10Lines changed: 49 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,39 +1,43 @@
1
1
---
2
-
title: Azure Private Endpoint DNS integration
3
-
description: Learn about Azure Private Endpoint DNS configuration scenarios.
2
+
title: Azure Private Endpoint DNS Integration Scenarios
3
+
description: Learn how to configure Azure Private Endpoint DNS for secure and efficient private IP resolution. Discover key scenarios and best practices.
4
4
services: private-link
5
5
author: abell
6
6
ms.service: azure-private-link
7
7
ms.topic: concept-article
8
-
ms.date: 03/25/2025
8
+
ms.date: 06/25/2025
9
9
ms.author: abell
10
10
ms.custom: fasttrack-edit
11
11
# Customer intent: As a network administrator, I want to configure DNS settings for Azure Private Endpoints, so that I can ensure secure and efficient resolution of private IP addresses required for my applications and services within the virtual network.
12
12
---
13
13
14
-
# Azure Private Endpoint DNS integration
14
+
# Azure Private Endpoint DNS integration Scenarios
15
15
16
-
Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. The service can be an Azure service such as Azure Storage, Azure Cosmos DB, SQL, etc., or your own Private Link Service. This article describes DNS configuration scenarios for Azure Private Endpoint.
16
+
Azure Private Endpoint DNS integration is essential for enabling secure, private connectivity to Azure services within your virtual network. This article describes common DNS configuration scenarios for Azure Private Endpoints, including options for virtual networks, peered networks, and on-premises environments. Use these scenarios and best practices to ensure reliable and secure name resolution for your applications and services.
17
17
18
-
**For private DNS zone settings for Azure services that support a private endpoint, see [Azure Private Endpoint private DNS zone values](private-endpoint-dns.md).**
18
+
For private DNS zone settings for Azure services that support a private endpoint, see [Azure Private Endpoint private DNS zone values](private-endpoint-dns.md).
19
19
20
20
## DNS configuration scenarios
21
21
22
-
The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.
22
+
The FQDN of the service automatically resolves to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.
23
23
24
-
DNS is a critical component to make the application work correctly by successfully resolving the private endpoint IP address.
24
+
DNS is critical for your application to work correctly because it resolves the private endpoint IP address.
25
25
26
-
Based on your preferences, the following scenarios are available with DNS resolution integrated:
26
+
You can use the following DNS resolution scenarios:
27
27
28
28
-[Virtual network workloads without Azure Private Resolver](#virtual-network-workloads-without-azure-private-resolver)
29
29
30
30
-[Peered virtual network workloads without Azure Private Resolver](#virtual-network-workloads-without-custom-dns-server)
31
+
32
+
-[On-premises workloads using a DNS forwarder without Azure Private Resolver)](#on-premises-workloads-using-a-dns-forwarder-without-azure-private-resolver)
31
33
32
34
-[Azure Private Resolver for on-premises workloads](#azure-private-resolver-for-on-premises-workloads)
33
35
34
36
-[Azure Private Resolver with on-premises DNS forwarder](#on-premises-workloads-using-a-dns-forwarder)
35
37
36
38
-[Azure Private Resolver for virtual network and on-premises workloads](#virtual-network-and-on-premises-workloads-using-a-dns-forwarder)
39
+
40
+
37
41
38
42
## Virtual network workloads without Azure Private Resolver
39
43
@@ -67,6 +71,38 @@ In this scenario, there's a [hub and spoke](/azure/architecture/reference-archit
67
71
68
72
:::image type="content" source="media/private-endpoint-dns/hub-and-spoke-azure-dns.png" alt-text="Diagram of hub and spoke with Azure-provided DNS." lightbox="media/private-endpoint-dns/hub-and-spoke-azure-dns.png":::
69
73
74
+
## On-premises workloads using a DNS forwarder without Azure Private Resolver
75
+
76
+
For on-premises workloads to resolve the FQDN of a private endpoint, configure a DNS forwarder in Azure. The DNS forwarder should be deployed in the virtual network that is linked to the private DNS zone for your private endpoint.
77
+
78
+
A [DNS forwarder](/windows-server/identity/ad-ds/plan/reviewing-dns-concepts#resolving-names-by-using-forwarding) is typically a virtual machine running DNS services or a managed service like [Azure Firewall](../firewall/dns-settings.md). The DNS forwarder receives DNS queries from on-premises or other virtual networks and forwards them to Azure DNS.
79
+
80
+
> [!NOTE]
81
+
> DNS queries for private endpoints must originate from the virtual network that is linked to the private DNS zone. The DNS forwarder enables this by proxying queries on behalf of on-premises clients.
82
+
> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](private-endpoint-dns.md).
83
+
84
+
85
+
The following scenario is for an on-premises network that has a DNS forwarder in Azure. This forwarder resolves DNS queries via a server-level forwarder to the Azure provided DNS [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md).
86
+
87
+
To configure properly, you need the following resources:
88
+
89
+
- On-premises network with a custom DNS solution in place
90
+
- Virtual network [connected to on-premises](/azure/architecture/reference-architectures/hybrid-networking/)
91
+
- DNS solution in deployed in your Azure environment with the capability to conditionally forward DNS requests
92
+
- Private DNS zone [privatelink.database.windows.net](../dns/private-dns-privatednszone.md) with [type A record](../dns/dns-zones-records.md#record-types)
93
+
- Private endpoint information (FQDN record name and private IP address)
94
+
95
+
96
+
> [!IMPORTANT]
97
+
> The conditional forwarding must be made to the recommended public DNS zone forwarder. For example: `database.windows.net` instead of **privatelink**.database.windows.net.
98
+
99
+
- Extend this configuration for on-premises networks that already have a custom DNS solution.
100
+
- Configure your on-premises DNS solution with a [conditional forwarder](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) for the private DNS zone. The conditional forwarder should point to the DNS forwarder deployed in Azure, so DNS queries for private endpoints are correctly resolved.
101
+
102
+
The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):
103
+
104
+
:::image type="content" source="media/private-endpoint-dns/on-premises-forwarding-to-azure-no-resolver.png" alt-text="Diagram of on-premises forwarding to Azure DNS without Azure Private Resolver." lightbox="media/private-endpoint-dns/on-premises-forwarding-to-azure-no-resolver.png":::
105
+
70
106
## Azure Private Resolver for on-premises workloads
71
107
72
108
For on-premises workloads to resolve the FQDN of a private endpoint, use Azure Private Resolver to resolve the Azure service public DNS zone in Azure. Azure Private Resolver is an Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder.
@@ -155,6 +191,7 @@ The resolution is made by a private DNS zone [linked to a virtual n
155
191
156
192
:::image type="content" source="media/private-endpoint-dns/hybrid-scenario.png" alt-text="Diagram of hybrid scenario with private DNS zone." lightbox="media/private-endpoint-dns/hybrid-scenario.png":::
157
193
194
+
158
195
## Private DNS zone group
159
196
160
197
If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group has a strong association between the private DNS zone and the private endpoint. It helps with managing the private DNS zone records when there's an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated with the correct number of records.
@@ -169,5 +206,7 @@ In a hub-and-spoke topology, a common scenario allows the creation of private DN
169
206
> - Adding multiple DNS zone groups to a single Private Endpoint isn't supported.
170
207
> - Delete and update operations for DNS records can be seen performed by **Azure Traffic Manager and DNS.** This is a normal platform operation necessary for managing your DNS Records.
171
208
172
-
## Next steps
209
+
## Related content
173
210
-[Learn about private endpoints](private-endpoint-overview.md)
211
+
-[Private endpoint private DNS zone values](private-endpoint-dns.md)
0 commit comments