/
Understanding Azure Private DNS Zones and Private Endpoints

Understanding Azure Private DNS Zones and Private Endpoints

Owned by Tyler Hamilton
Last updated: Dec 03, 2024
2 min read

Overview

A Private DNS Zone in Azure is like an address book for resources in your private network, allowing you to use easy-to-remember domain names instead of IP addresses. It ensures that resources within your virtual network can find and communicate with each other securely. A Private Endpoint is a private connection to an Azure service, like a database or storage account, using a private IP address within your virtual network. This keeps the connection secure by avoiding the public internet. When used together, Private DNS Zones map the domain names of services (e.g., privatelink.blob.core.windows.net or privatelink.openai.azure.com) to the private IP addresses of Private Endpoints. This makes it easy for applications in your network to connect securely to Azure services using familiar names without needing to know the specific IP addresses.

Centralizing Private DNS Zones

Private Link and DNS Integration at Scale - Cloud Adoption Framework

Private DNS zones are usually set up and managed in a central location, often in the same Azure subscription where the main network (hub VNet) is hosted. This setup helps with organizing and resolving private names for things like internal services and Active Directory. Only a few administrators, like those managing the network and identity, typically have access to update or change the DNS records.

On the other hand, application teams work in their own Azure subscriptions and don’t have permission to make changes to the central DNS zones. This means they can’t directly create the DNS records needed when they set up services like databases or storage accounts with private endpoints.

Using Azure Policy to Automate Private DNS Zone Records

To address this, we have implemented Azure Policies to automate the creation of Private DNS Zone records for all Private Endpoints across the Azure organization. A policy has been enabled to Deny the creation of new Private DNS Zones. Instead, when a Private Endpoint is detected by the policy, a corresponding DNS record is automatically created in the centralized Private DNS Zone.

Ensure that when your application team creates a private endpoint, the option to Integrate with private DNS zone is set to No in the Azure portal. If you select Yes, Azure Policy prevents you from creating the private endpoint.

image-20241203-183838.png