Link a private DNS zone to a VNet

1.2 Design and Implement Name Resolution

📘Microsoft Azure Networking Solutions (AZ-700)

1. What is a Private DNS Zone in Azure?

A Private DNS zone in Azure is used to resolve DNS names inside private networks (VNets).

  • It works only inside Azure private networks
  • DNS records are not accessible from the internet
  • Commonly used for:
    • Virtual Machines
    • Private Endpoints
    • Internal Azure services

Example DNS names:

  • vm1.internal.contoso.com
  • sqlserver.privatelink.database.windows.net

2. Why Do We Need to Link a Private DNS Zone to a VNet?

A Private DNS zone does nothing by itself.

To make it usable:

  • It must be linked to one or more VNets

Linking allows:

  • Resources inside the VNet to resolve DNS records
  • Azure to automatically register DNS records (if enabled)

Without a VNet link:

  • Virtual Machines cannot resolve names in the private DNS zone
  • Private Endpoints will not work correctly

3. What Does “Linking” Actually Mean?

When you link a private DNS zone to a VNet:

  • The VNet is allowed to use that DNS zone
  • Azure DNS becomes available inside the VNet
  • DNS queries from VMs are resolved using the private zone

📌 Important:

  • Linking does not create network connectivity
  • It only provides DNS name resolution

4. Types of VNet Links

Azure supports two types of VNet links:

1. Registration Enabled Link

  • Azure automatically creates DNS records
  • Used when:
    • VMs are deployed in the VNet
    • VM hostnames should be automatically added

Example:

  • VM vm1 → DNS record vm1.internal.contoso.com

2. Registration Disabled Link

  • No automatic DNS record creation
  • DNS records must be created manually
  • Used when:
    • VNet only needs to resolve names
    • No need for automatic VM registration

📌 Exam Tip:

Private Endpoints do NOT require auto-registration

5. How Many VNets Can Be Linked?

  • One private DNS zone can be linked to:
    • Multiple VNets
  • One VNet can be linked to:
    • Multiple private DNS zones

This is useful in:

  • Hub-and-spoke architectures
  • Multi-region environments

6. Cross-Subscription and Cross-Region Linking

Azure allows:

  • Linking VNets from different subscriptions
  • Linking VNets from different regions

Requirements:

  • Proper RBAC permissions
  • VNets must be in the same Azure tenant

📌 Exam Focus:

DNS zone and VNet do NOT need to be in the same subscription

7. Private DNS Zone and Azure-Provided DNS

When a VNet is linked to a private DNS zone:

  • Azure automatically uses Azure-provided DNS (168.63.129.16)
  • No custom DNS server is required
  • DNS resolution happens internally

If you use custom DNS servers:

  • You must configure DNS forwarding
  • Otherwise, private DNS records will not resolve

8. Linking Process (Conceptual Steps – Exam Level)

  1. Create a Private DNS zone
  2. Select Virtual Network links
  3. Add a new link
  4. Choose:
    • VNet
    • Enable or disable auto-registration
  5. Save the configuration

📌 No VM restart is required.

9. Private DNS Zone Linking with Private Endpoints

This is a very important exam topic.

When you create a Private Endpoint:

  • Azure often automatically creates
    • A private DNS zone
    • A VNet link
    • DNS records

Example zones:

  • privatelink.blob.core.windows.net
  • privatelink.database.windows.net

If DNS zone is not linked:

  • Name resolution fails
  • Private Endpoint connection appears broken

📌 Exam Tip:

Most Private Endpoint issues are DNS-related

10. Hub-and-Spoke DNS Design

Common IT architecture:

  • Hub VNet
    • Central DNS resolution
  • Spoke VNets
    • Application workloads

Private DNS zone can be:

  • Linked to:
    • Hub VNet
    • All spoke VNets

This allows:

  • Centralized DNS management
  • Name resolution across VNets

11. Security and Access Control

  • Linking a VNet does not expose DNS publicly
  • Access is controlled by:
    • Azure RBAC
    • VNet scope

Only authorized users can:

  • Create DNS zones
  • Create or modify VNet links

12. Limitations and Important Facts (Exam-Focused)

ItemRule
Private DNS zone is globalYes
Internet access❌ Not allowed
Auto-registrationOnly for VMs
VNet peering required❌ Not required
Works with Azure DNS onlyYes
Custom DNS serversRequire forwarding

13. Common Exam Traps

✔ Thinking linking creates network connectivity
✔ Assuming DNS works without linking
✔ Forgetting DNS forwarding when using custom DNS
✔ Assuming Private Endpoints work without private DNS zone links

14. Key Exam Keywords to Remember

  • Private DNS zone
  • VNet link
  • Auto-registration
  • Name resolution
  • Azure-provided DNS
  • Private Endpoint
  • Hub-and-spoke
  • Cross-subscription linking

15. One-Paragraph Exam Summary

Linking a private DNS zone to a VNet allows resources inside the VNet to resolve private DNS names using Azure DNS. The link can optionally enable automatic DNS record registration for virtual machines. A private DNS zone can be linked to multiple VNets, including VNets in different subscriptions and regions. Linking does not provide network connectivity; it only enables name resolution. This feature is critical for Private Endpoints and internal Azure service communication.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by