DNS Privatelink

Question

DNS Privatelink

riccardo 41 Microsoft Employee

I have find in this link https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns?source=docs this statement:

Existing Private DNS Zones linked to a single Azure service should not be associated with two different Azure service Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. Create a DNS zone for each Private Endpoint of like services. Don't place records for multiple services in the same DNS zone.

What it does means?

Accepted answer

1 additional answer

Your answer

Answer 1

Hi riccardo, so microsoft’s basically saying if u link the same private dns zone to two different private endpoints for the SAME azure service, it’s gonna cause problems )) like, the first a-record (that’s the dns entry that points to the ip) will get deleted, and then ups u can’t reach the service properly from either endpoint. not cool, right?

here’s how u avoid this mess: create a separate dns zone for each private endpoint, even if they’re for the same type of service. and hey, don’t mix records for different services in one zone keep ‘em clean and separate. microsoft’s docs explain it here: private endpoint dns config.

why does this happen? well, azure’s dns system gets confused when two endpoints fight over the same zone. it’s like two people trying to edit the same doc at once stuff gets overwritten )) so yeah, just give each endpoint its own zone, and u’re golden.

aha, and btw, big thanks for dropping this q! dns stuff can be a headache, but once u get it, it’s smooth sailing ))) microsoft’s privatelink is actually super powerful once u set it up right just gotta follow these rules to keep things running smooth.

rgds,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

Answer 2

Hello riccardo

According to the statement, if you have a Private DNS Zone (e.g.,privatelink.blob.core.windows.net) linked to a storage account and create two Private Endpoints for that storage account (possibly in different regions or VNets), only one A record will be present in the DNS zone at any given time.

When the second Private Endpoint is created, it overwrites the A record of the first one.

This causes DNS resolution issues, because clients trying to reach the first endpoint will now resolve to the second one.
Therefore, it is recommended to create separate DNS zones for each Private Endpoint to avoid conflicts and ensure that each service can be reached without any issues.

So, if you're managing multiple services that will have Private Endpoints, you'll want to set up individual Private DNS Zones for each one. This approach helps keep things organized and avoids any DNS problems.

For example:
- privatelink1.blob.core.windows.net → linked to privatednszone1
- privatelink2.blob.core.windows.net → linked to privatednszone2

This ensures that each Private Endpoint has its own DNS record and avoids conflicts.

Refer: https://learn.microsoft.com/en-us/azure/dns/private-dns-scenarios

I hope this information is helpful! If my answer helped you resolve your issue, please consider marking it as the correct answer or Upvote. This helps others in the community find solutions more easily. Thanks!

Share via

DNS Privatelink

1 additional answer

Your answer