Azure Private Endpoint DNS configuration

Azure services DNS zone configuration

Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.

Your applications don't need to change the connection URL. When resolving to a public DNS service, the DNS server will resolve to your private endpoints. The process doesn't affect your existing applications.

Important

Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence.

Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the table below.

For Azure services, use the recommended zone names as described in the following table:

Private link resource type / Subresource Private DNS zone name Public DNS zone forwarders Azure Automation / (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker privatelink.azure-automation.net azure-automation.net Azure SQL Database (Microsoft.Sql/servers) / sqlServer privatelink.database.windows.net database.windows.net Azure SQL Managed Instance (Microsoft.Sql/managedInstances) privatelink.{dnsPrefix}.database.windows.net {instanceName}.{dnsPrefix}.database.windows.net Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Sql privatelink.sql.azuresynapse.net sql.azuresynapse.net Azure Synapse Analytics (Microsoft.Synapse/workspaces) / SqlOnDemand privatelink.sql.azuresynapse.net {workspaceName}-ondemand.sql.azuresynapse.net Azure Synapse Analytics (Microsoft.Synapse/workspaces) / Dev privatelink.dev.azuresynapse.net dev.azuresynapse.net Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) / Web privatelink.azuresynapse.net azuresynapse.net Storage account (Microsoft.Storage/storageAccounts) / Blob (blob, blob_secondary) privatelink.blob.core.windows.net blob.core.windows.net Storage account (Microsoft.Storage/storageAccounts) / Table (table, table_secondary) privatelink.table.core.windows.net table.core.windows.net Storage account (Microsoft.Storage/storageAccounts) / Queue (queue, queue_secondary) privatelink.queue.core.windows.net queue.core.windows.net Storage account (Microsoft.Storage/storageAccounts) / File (file, file_secondary) privatelink.file.core.windows.net file.core.windows.net Storage account (Microsoft.Storage/storageAccounts) / Web (web, web_secondary) privatelink.web.core.windows.net web.core.windows.net Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) / Data Lake File System Gen2 (dfs, dfs_secondary) privatelink.dfs.core.windows.net dfs.core.windows.net Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Sql privatelink.documents.azure.com documents.azure.com Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / MongoDB privatelink.mongo.cosmos.azure.com mongo.cosmos.azure.com Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Cassandra privatelink.cassandra.cosmos.azure.com cassandra.cosmos.azure.com Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Gremlin privatelink.gremlin.cosmos.azure.com gremlin.cosmos.azure.com Azure Cosmos DB (Microsoft.DocumentDb/databaseAccounts) / Table privatelink.table.cosmos.azure.com table.cosmos.azure.com Azure Batch (Microsoft.Batch/batchAccounts) / batchAccount privatelink.batch.azure.com {regionName}.batch.azure.com Azure Batch (Microsoft.Batch/batchAccounts) / nodeManagement privatelink.batch.azure.com {regionName}.service.batch.azure.com Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) / postgresqlServer privatelink.postgres.database.azure.com postgres.database.azure.com Azure Database for MySQL (Microsoft.DBforMySQL/servers) / mysqlServer privatelink.mysql.database.azure.com mysql.database.azure.com Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) / mariadbServer privatelink.mariadb.database.azure.com mariadb.database.azure.com Azure Key Vault (Microsoft.KeyVault/vaults) / vault privatelink.vaultcore.azure.net vault.azure.net
vaultcore.azure.net Azure Key Vault (Microsoft.KeyVault/managedHSMs) / Managed HSMs privatelink.managedhsm.azure.net managedhsm.azure.net Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) / management privatelink.{regionName}.azmk8s.io {subzone}.privatelink.{regionName}.azmk8s.io {regionName}.azmk8s.io Azure Search (Microsoft.Search/searchServices) / searchService privatelink.search.windows.net search.windows.net Azure Container Registry (Microsoft.ContainerRegistry/registries) / registry privatelink.azurecr.io {regionName}.privatelink.azurecr.io azurecr.io {regionName}.azurecr.io Azure App Configuration (Microsoft.AppConfiguration/configurationStores) / configurationStores privatelink.azconfig.io azconfig.io Azure Backup (Microsoft.RecoveryServices/vaults) / AzureBackup privatelink.{regionCode}.backup.windowsazure.com {regionCode}.backup.windowsazure.com Azure Site Recovery (Microsoft.RecoveryServices/vaults) / AzureSiteRecovery privatelink.siterecovery.windowsazure.com {regionCode}.siterecovery.windowsazure.com Azure Event Hubs (Microsoft.EventHub/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net Azure Service Bus (Microsoft.ServiceBus/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net Azure IoT Hub (Microsoft.Devices/IotHubs) / iotHub privatelink.azure-devices.net
privatelink.servicebus.windows.net ¹ azure-devices.net
servicebus.windows.net Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) / iotDps privatelink.azure-devices-provisioning.net azure-devices-provisioning.net Azure Relay (Microsoft.Relay/namespaces) / namespace privatelink.servicebus.windows.net servicebus.windows.net Azure Event Grid (Microsoft.EventGrid/topics) / topic privatelink.eventgrid.azure.net eventgrid.azure.net Azure Event Grid (Microsoft.EventGrid/domains) / domain privatelink.eventgrid.azure.net eventgrid.azure.net Azure Web Apps (Microsoft.Web/sites) / sites privatelink.azurewebsites.net scm.privatelink.azurewebsites.net azurewebsites.net scm.azurewebsites.net Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) / amlworkspace privatelink.api.azureml.ms
privatelink.notebooks.azure.net api.azureml.ms
notebooks.azure.net
instances.azureml.ms
aznbcontent.net
inference.ml.azure.com SignalR (Microsoft.SignalRService/SignalR) / signalR privatelink.service.signalr.net service.signalr.net Azure Monitor (Microsoft.Insights/privateLinkScopes) / azuremonitor privatelink.monitor.azure.com
privatelink.oms.opinsights.azure.com
privatelink.ods.opinsights.azure.com
privatelink.agentsvc.azure-automation.net
privatelink.blob.core.windows.net monitor.azure.com
oms.opinsights.azure.com
ods.opinsights.azure.com
agentsvc.azure-automation.net
blob.core.windows.net Cognitive Services (Microsoft.CognitiveServices/accounts) / account privatelink.cognitiveservices.azure.com
privatelink.openai.azure.com cognitiveservices.azure.com
openai.azure.com Azure File Sync (Microsoft.StorageSync/storageSyncServices) / afs {regionName}.privatelink.afs.azure.net {regionName}.afs.azure.net Azure Data Factory (Microsoft.DataFactory/factories) / dataFactory privatelink.datafactory.azure.net datafactory.azure.net Azure Data Factory (Microsoft.DataFactory/factories) / portal privatelink.adf.azure.com adf.azure.com Azure Cache for Redis (Microsoft.Cache/Redis) / redisCache privatelink.redis.cache.windows.net redis.cache.windows.net Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) / redisEnterprise privatelink.redisenterprise.cache.azure.net redisenterprise.cache.azure.net Microsoft Purview (Microsoft.Purview) / account privatelink.purview.azure.com purview.azure.com Microsoft Purview (Microsoft.Purview) / portal privatelink.purviewstudio.azure.com purview.azure.com Azure Digital Twins (Microsoft.DigitalTwins) / digitalTwinsInstances privatelink.digitaltwins.azure.net digitaltwins.azure.net Azure HDInsight (Microsoft.HDInsight) privatelink.azurehdinsight.net azurehdinsight.net Azure Arc (Microsoft.HybridCompute) / hybridcompute privatelink.his.arc.azure.com
privatelink.guestconfiguration.azure.com privatelink.kubernetesconfiguration.azure.com his.arc.azure.com
guestconfiguration.azure.com kubernetesconfiguration.azure.com Azure Media Services (Microsoft.Media) / keydelivery, liveevent, streamingendpoint privatelink.media.azure.net media.azure.net Azure Data Explorer (Microsoft.Kusto) privatelink.{regionName}.kusto.windows.net {regionName}.kusto.windows.net Azure Static Web Apps (Microsoft.Web/staticSites) / staticSites privatelink.azurestaticapps.net privatelink.{partitionId}.azurestaticapps.net azurestaticapps.net {partitionId}.azurestaticapps.net Azure Migrate (Microsoft.Migrate) / migrate projects, assessment project and discovery site privatelink.prod.migration.windowsazure.com prod.migration.windowsazure.com Azure API Management (Microsoft.ApiManagement/service) / gateway privatelink.azure-api.net azure-api.net Microsoft PowerBI (Microsoft.PowerBI/privateLinkServicesForPowerBI) privatelink.analysis.windows.net privatelink.pbidedicated.windows.net privatelink.tip1.powerquery.microsoft.com analysis.windows.net pbidedicated.windows.net tip1.powerquery.microsoft.com Azure Bot Service (Microsoft.BotService/botServices) / Bot privatelink.directline.botframework.com directline.botframework.com europe.directline.botframework.com Azure Bot Service (Microsoft.BotService/botServices) / Token privatelink.token.botframework.com token.botframework.com europe.token.botframework.com Azure Health Data Services (Microsoft.HealthcareApis/workspaces) / healthcareworkspace privatelink.workspace.azurehealthcareapis.com privatelink.fhir.azurehealthcareapis.com privatelink.dicom.azurehealthcareapis.com workspace.azurehealthcareapis.com fhir.azurehealthcareapis.com dicom.azurehealthcareapis.com Azure Databricks (Microsoft.Databricks/workspaces) / databricks_ui_api, browser_authentication privatelink.azuredatabricks.net azuredatabricks.net Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) / global privatelink-global.wvd.microsoft.com wvd.microsoft.com Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces and Microsoft.DesktopVirtualization/hostpools) / feed, connection privatelink.wvd.microsoft.com wvd.microsoft.com

¹ To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint

In the above text, {regionCode} refers to the region code (for example, eus for East US and ne for North Europe). Refer to the following lists for regions codes:

All public clouds

{regionName} refers to the full region name (for example, eastus for East US and northeurope for North Europe). To retrieve a current list of Azure regions and their names and display names, use az account list-locations -o table .

Government

In the above text, {region} refers to the region code (for example, eus for East US and ne for North Europe). Refer to the following lists for regions codes:

US Gov

China

¹ To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint

DNS configuration scenarios

The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.

DNS is a critical component to make the application work correctly by successfully resolving the private endpoint IP address.

Based on your preferences, the following scenarios are available with DNS resolution integrated:

Azure Private Endpoint DNS configuration

Azure services DNS zone configuration

Government

China

DNS configuration scenarios

Virtual network workloads without custom DNS server

On-premises workloads using a DNS forwarder

Virtual network and on-premises workloads using a DNS forwarder

Private DNS zone group

Next steps

Azure Firewall DNS proxy can be used as DNS forwarder for On-premises workloads and Virtual network workloads using a DNS forwarder .

Virtual network workloads without custom DNS server

This configuration is appropriate for virtual network workloads without a custom DNS server. In this scenario, the client queries for the private endpoint IP address to the Azure-provided DNS service 168.63.129.16 . Azure DNS will be responsible for DNS resolution of the private DNS zones.

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration .

To configure properly, you need the following resources:

Client virtual network

Private DNS zone privatelink.database.windows.net with type A record

Private endpoint information (FQDN record name and private IP address)

The following screenshot illustrates the DNS resolution sequence from virtual network workloads using the private DNS zone:

You can extend this model to peered virtual networks associated to the same private endpoint. Add new virtual network links to the private DNS zone for all peered virtual networks.

Important

A single private DNS zone is required for this configuration. Creating multiple zones with the same name for different virtual networks would need manual operations to merge the DNS records.

Important

If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

In this scenario, there's a hub and spoke networking topology. The spoke networks share a private endpoint. The spoke virtual networks are linked to the same private DNS zone.

On-premises workloads using a DNS forwarder

For on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, Azure Firewall .

The following scenario is for an on-premises network that has a DNS forwarder in Azure. This forwarder resolves DNS queries via a server-level forwarder to the Azure provided DNS 168.63.129.16 .

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration .

To configure properly, you need the following resources:

On-premises network

Virtual network connected to on-premises

DNS forwarder deployed in Azure

Private DNS zones privatelink.database.windows.net with type A record

Private endpoint information (FQDN record name and private IP address)

The following diagram illustrates the DNS resolution sequence from an on-premises network. The configuration uses a DNS forwarder deployed in Azure. The resolution is made by a private DNS zone linked to a virtual network :

This configuration can be extended for an on-premises network that already has a DNS solution in place. The on-premises DNS solution is configured to forward DNS traffic to Azure DNS via a conditional forwarder . The conditional forwarder references the DNS forwarder deployed in Azure.

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration

To configure properly, you need the following resources:

On-premises network with a custom DNS solution in place

Virtual network connected to on-premises

DNS forwarder deployed in Azure

Private DNS zones privatelink.database.windows.net with type A record

Private endpoint information (FQDN record name and private IP address)

The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone linked to a virtual network .

Important

The conditional forwarding must be made to the recommended public DNS zone forwarder . For example: database.windows.net instead of privatelink .database.windows.net.

Virtual network and on-premises workloads using a DNS forwarder

For workloads accessing a private endpoint from virtual and on-premises networks, use a DNS forwarder to resolve the Azure service public DNS zone deployed in Azure.

The following scenario is for an on-premises network with virtual networks in Azure. Both networks access the private endpoint located in a shared hub network.

This DNS forwarder is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS service 168.63.129.16 .

Important

A single private DNS zone is required for this configuration. All client connections made from on-premises and peered virtual networks must also use the same private DNS zone.

This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: Azure services DNS zone configuration .

To configure properly, you need the following resources:

On-premises network

Virtual network connected to on-premises

Peered virtual network

DNS forwarder deployed in Azure

Private DNS zones privatelink.database.windows.net with type A record

Private endpoint information (FQDN record name and private IP address)

The following diagram shows the DNS resolution for both networks, on-premises and virtual networks. The resolution is using a DNS forwarder. The resolution is made by a private DNS zone linked to a virtual network :

Private DNS zone group

If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group is a strong association between the private DNS zone and the private endpoint that helps auto-updating the private DNS zone when there is an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated.

Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there is no need to write any additional CLI/PowerShell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group will be deleted as well.

A common scenario for DNS zone group is in a hub-and-spoke topology, where it allows the private DNS zones to be created only once in the hub and allows the spokes to register to it, rather than creating different zones in each spoke.

Each DNS zone group can support up to 5 DNS zones.

Adding multiple DNS zone groups to a single Private Endpoint is not supported.

Next steps

Learn about private endpoints