How does failover work for resources with private endpoints and public access disabled?

Question

How does failover work for resources with private endpoints and public access disabled?

Kanie-0317 120

Hi, I have a question regarding how failover behaves for Azure resources that have private endpoints attached and public access disabled. (Disaster recovery and regional outage scenario)

Let’s say I’m using a resource (e.g., Storage Account or Cosmos DB) that has built-in geo-redundancy and supports automatic or manual failover.

If I disable public access and only use private endpoints, how exactly does failover work at the network/DNS level?

Here’s my current setup:

Resource name: mystorageaccount
Primary region: has private endpoint_A and private DNS zone_A
Secondary region: has private endpoint_B and private DNS zone_B
Both private endpoints point to the same storage account which deployed in primary region.

If a failover happens, and the resource becomes active in the secondary region:
- Will my application automatically resolve to the secondary region’s private endpoint IP, assuming DNS is configured properly?
- Do I need to update any connection string?
How does DNS resolution work under this model when both regions have private endpoints and separate private DNS zones?
Is this architecture valid, or is there a better/recommended way to handle private endpoint failover scenarios?

Appreciate it any expert could share some specific examples to help clarify this, thank you!

Accepted answer

1 additional answer

Your answer

Answer 1

Praveen Bandaru 7,160 Microsoft External Staff Moderator

Hello Kanie Almasi

I understand that you're dealing with complex failover scenarios involving Azure resources with private endpoints, especially when public access is disabled. Here’s an overview of how the failover and DNS resolution work in your case:

Failover Process: If a disaster requires failing over to the secondary region (like a regional outage), the storage account will still function due to geo-redundancy. However, with private endpoints, you need to ensure DNS resolution is correctly configured.
DNS Resolution: After a failover:
- Automatic Resolution: If private DNS zones are set up correctly, applications should automatically resolve to the secondary region's private endpoint, provided DNS forwarding is properly configured.
- Connection String: Typically, you should not need to update the connection string as long as the hostname remains the same and DNS resolution is working correctly. The private endpoints will handle the traffic after the failover.
DNS Setup: It's crucial to configure DNS to point to the correct private DNS zones for each region. In a regional outage, if the primary region's DNS can't respond, conditional DNS forwarders need to be adjusted to point to the secondary region.
Best Practices: Your architecture is valid. However, review the configuration of conditional forwarders to ensure they can route traffic Check the public document for more understanding:

Failover considerations for storage accounts with private endpoints

Hope the above answer helps! Please let us know do you have any further queries. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Kanie-0317 120 Reputation points

2025-06-05T01:45:36.66+00:00
Hi Praveen Bandaru,

Want to confirm a few points to make sure I understand correctly:

When you say "private DNS zone is set up correctly", does that mean I have properly created a secondary private endpoint for the storage account in the primary region, and it’s correctly associated with the secondary region’s private DNS zone? In this case, once I trigger a failover, no additional action is needed and the application should be able to resolve the private endpoint automatically, is that correct?

Does conditional forwarder configuration mean that my on-premises DNS server was originally set to forward queries to a DNS VM in the primary region, but now that the primary is down, I need to manually update the DNS server to forward those queries to a DNS VM in the secondary region?

If I don’t have any on-premises VMs that need to resolve or connect to the private endpoint, then I don’t need to worry about conditional forwarders at all, is that right?

Thanks for confirming!
Praveen Bandaru 7,160 Reputation points Microsoft External Staff Moderator

2025-06-05T14:56:20.11+00:00
When you say "private DNS zone is set up correctly", does that mean I have properly created a secondary private endpoint for the storage account in the primary region, and it’s correctly associated with the secondary region’s private DNS zone? In this case, once I trigger a failover, no additional action is needed and the application should be able to resolve the private endpoint automatically, is that correct?

Create a private endpoint in each region — one in the primary and one in the secondary. Both private endpoints should be linked to the same private DNS zone (e.g., privatelink.blob.core.windows.net) or zones connected to your virtual network.

The private DNS zone should have A records that resolve the storage account’s FQDN to the correct private IP of the active region’s endpoint. If your DNS zone is set to update dynamically or you have automation for updating the A record during failover, then yes, your application should automatically resolve the correct private endpoint after failover.

Does conditional forwarder configuration mean that my on-premises DNS server was originally set to forward queries to a DNS VM in the primary region, but now that the primary is down, I need to manually update the DNS server to forward those queries to a DNS VM in the secondary region?

Yes, if you're on-prem DNS server is configured with a conditional forwarder pointing to a DNS VM in the primary region, and that region goes down, then:

Your DNS queries will fail unless you manually update the forwarder to point to a DNS VM in the secondary region.

To prevent this, configure your conditional forwarder with multiple IPs (both primary and secondary DNS VMs), allowing automatic failover.

If I don’t have any on-premises VMs that need to resolve or connect to the private endpoint, then I don’t need to worry about conditional forwarders at all, is that right?

No, you don't. If all your workloads are in Azure and your private DNS zone is properly linked to your virtual networks, you don't need conditional forwarders at all. Azure manages DNS resolution internally.

Additionally adding some more points:

If you are using a custom DNS, you need to configure a forwarder pointing to the Azure DNS IP on the custom DNS server machine.

Additionally, if the custom DNS is hosted in a different VNET, you need to add the custom DNS virtual network in the private DNS zone.

If you are trying to connect from on-premises, you need to use a VPN. For connections inside Azure, you need a private DNS resolver.

Additionally, you must configure a conditional forwarder pointing to the private DNS resolver's inbound IP in your local machine's DNS server.

Kindly check the below documents for more understanding:

https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

Doc 2: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

Hope the above answer helps! Please let us know do you have any further queries. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Andreas Baumgarten 125.3K MVP Volunteer Moderator

Hi @Kanie Almasi ,

please take a look here: Failover considerations for storage accounts with private endpoints

If you are using private endpoints with an Azure Storage account there are different configurations required depending on the fail over scenario.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Kanie-0317 120 Reputation points

2025-06-04T14:37:43.25+00:00

Hi @Andreas Baumgarten ,

Thanks for your reply. I’ve read the documentation before, but I still don’t fully understand how failover and DNS resolution actually work in practice.

I’m specifically referring to Scenario #3 in the doc, if there’s a full regional outage, do I need to update the connection string in my application, or will it resolve automatically as long as I’ve already set up a secondary private endpoint and a private DNS zone in the secondary region, both pointing to the same storage account?

In short, what steps should I take after a failover is initiated?
Andreas Baumgarten 125.3K Reputation points MVP Volunteer Moderator

2025-06-04T15:01:28.14+00:00

Hi @Kanie Almasi ,

regarding the scenario #3:

In case of a full regional outage you have to configure the on-premises conditional DNS forwarder to the second region.

With this change it is possible to use the private endpoint and the storage account in the second region.

Similar to Scenario 2, if the primary hub is unable to handle DNS responses to its endpoint, or there are other networking outages, then the conditional forwarders on-premises should be updated to the secondary region.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Share via

How does failover work for resources with private endpoints and public access disabled?

1 additional answer

Your answer