4.1 Azure Private Link and Private Endpoints

📘Microsoft Azure Networking Solutions (AZ-700)

This is one of the most important areas in the AZ-700 exam. Many exam questions test your understanding of how DNS works with Private Endpoints and Azure Private Link.

To pass this section, you must clearly understand:

Why DNS is required for Private Endpoints
How name resolution changes when using Private Link
How Azure Private DNS works
How to integrate on-premises DNS with Azure
Common DNS configurations and troubleshooting

Let’s explain everything step by step in simple and clear language.

1. Why DNS Is Important for Private Link

When you create a Private Endpoint, Azure assigns it a private IP address inside your Virtual Network (VNet).

However:

Applications do NOT connect using IP addresses.
Applications connect using FQDN (Fully Qualified Domain Name).

Example:

An application connects to:

mystorageaccount.blob.core.windows.net

Without Private Link:

This name resolves to a public IP address.

With Private Link:

This name must resolve to a private IP address.

If DNS is not configured correctly:

Traffic will go to the public endpoint.
Private Endpoint will not be used.
Access may fail if public access is disabled.

So DNS is critical for Private Link to work correctly.

2. How DNS Changes with Private Endpoint

When you create a Private Endpoint for an Azure service:

Azure automatically creates a special DNS mapping.

For example, for Azure Storage:

Original public DNS:

mystorageaccount.blob.core.windows.net

With Private Endpoint, Azure creates:

mystorageaccount.privatelink.blob.core.windows.net

The process works like this:

Your application queries DNS for: mystorageaccount.blob.core.windows.net
DNS redirects it internally to: mystorageaccount.privatelink.blob.core.windows.net
That record resolves to the private IP of the Private Endpoint.

This DNS redirection is the key concept tested in AZ-700.

3. Azure Private DNS Zones

The recommended way to integrate DNS with Private Endpoints is using:

Azure Private DNS Zone

Private DNS zones store DNS records for private name resolution inside VNets.

Common Private DNS zone names:

Azure Service	Private DNS Zone
Azure Storage	`privatelink.blob.core.windows.net`
Azure SQL	`privatelink.database.windows.net`
Azure Web Apps	`privatelink.azurewebsites.net`
Azure Key Vault	`privatelink.vaultcore.azure.net`

These zone names are very important for the exam.

4. Automatic DNS Integration (Recommended)

When creating a Private Endpoint in the Azure Portal:

There is an option:

Integrate with private DNS zone

If selected:

Azure automatically:

Creates the correct Private DNS Zone (if not existing)
Creates an A record
Links the DNS zone to your VNet

This is the easiest and most recommended approach.

Exam Tip:

Microsoft recommends using Azure Private DNS zones with Private Endpoints.

5. What Happens Internally

Let’s understand technically:

Suppose:

You create a Private Endpoint for Azure SQL.
It gets private IP: 10.1.0.5

Azure creates:

DNS Zone:

privatelink.database.windows.net

A Record:

myserver → 10.1.0.5

Now when a VM inside the VNet queries:

myserver.database.windows.net

DNS resolves it to:

myserver.privatelink.database.windows.net

And that resolves to:

10.1.0.5

Traffic stays inside Azure backbone network.

6. Linking Private DNS Zone to Virtual Network

Creating a Private DNS zone is not enough.

You must:

Link it to one or more VNets.

This is called:

Virtual Network Link

Without VNet linking:

Resources inside the VNet cannot resolve private records.

Exam Question Pattern:

A Private Endpoint is created but VMs cannot connect. Why?

Common Answer:

Private DNS zone is not linked to the VNet.

7. Multiple VNets Scenario

If you have:

VNet1 (App servers)
VNet2 (Database servers)

And Private Endpoint is in VNet2.

To allow VNet1 to resolve the Private Endpoint:

You must:

Link the Private DNS Zone to VNet1 as well.

Important:

One Private DNS zone can link to multiple VNets.
VNets can be in different regions.

8. On-Premises DNS Integration

This is very important for hybrid environments.

Scenario:

Users from on-premises connect via VPN or ExpressRoute.
They must access Azure services using Private Endpoint.

Problem:

On-prem DNS does not know about Azure Private DNS zones.

Solution:
Use DNS Forwarding.

Steps:

On-prem DNS forwards queries for: privatelink.database.windows.net to Azure DNS forwarder.
Azure DNS forwarder resolves using:
- Azure Private DNS zone

Common Azure solution:

Deploy a DNS forwarder VM in Azure
Or use Azure DNS Private Resolver (modern approach)

Exam may test:

How to allow on-premises users to resolve Private Endpoint names?

Correct answer:

Configure conditional forwarder to Azure DNS.

9. Azure DNS Private Resolver

Modern recommended service:

Azure DNS Private Resolver

It provides:

Inbound endpoint
Outbound endpoint
DNS forwarding rules

Benefits:

Fully managed
No VM required
Scalable
Secure

Used when:

Integrating on-premises DNS with Azure Private DNS.

AZ-700 increasingly tests this service.

10. Split-Horizon DNS

Private Link uses a concept called:

Split-horizon DNS

Meaning:

Same domain name:

myserver.database.windows.net

Resolves differently depending on location:

Inside VNet → Private IP
Outside Azure → Public IP

This allows:

Internal traffic to use Private Endpoint
External users to use public endpoint (if enabled)

11. Disabling Public Network Access

Common exam scenario:

You create:

Private Endpoint
Disable public network access

Now:

Only private DNS resolution works
Public IP access is blocked

If DNS is not configured correctly:

Connection will fail completely

This is frequently tested.

12. Custom DNS Servers in VNet

If your VNet uses:

Custom DNS server (instead of Azure default DNS)

Then:

Azure will NOT automatically resolve Private DNS zone.

You must:

Configure conditional forwarding in your custom DNS server
Or host the Private DNS zone on that server

Exam Tip:

Private Endpoint + Custom DNS requires manual DNS configuration.

13. Common Exam Scenarios

Scenario 1:

Private Endpoint created but VM cannot connect.

Possible causes:

Private DNS zone missing
DNS zone not linked to VNet
Using custom DNS without forwarding
Incorrect record

Scenario 2:

On-premises cannot resolve Private Endpoint.

Answer:

Configure DNS forwarder or Azure DNS Private Resolver.

Scenario 3:

Multiple VNets need access.

Answer:

Link Private DNS zone to all VNets.

Scenario 4:

Traffic still going to public endpoint.

Answer:

DNS not resolving to private IP.

14. Key Differences to Remember

Feature	Public DNS	Private DNS
IP Address	Public IP	Private IP
Traffic Path	Internet	Azure backbone
Security	Public exposure	Private access only
Used with	Normal endpoints	Private Endpoint

15. Step-by-Step Integration Summary

To properly integrate Private Endpoint with DNS:

Create Private Endpoint.
Enable Private DNS integration.
Verify Private DNS zone exists.
Verify A record created.
Link Private DNS zone to VNet(s).
Configure DNS forwarding for on-premises (if needed).
Test name resolution using: nslookup

If DNS resolves to private IP → Configuration is correct.

16. Important AZ-700 Exam Keywords

You must understand these terms clearly:

Private Endpoint
Azure Private Link
Private DNS Zone
Virtual Network Link
Conditional Forwarder
Azure DNS Private Resolver
Split-horizon DNS
Custom DNS
A Record
FQDN
Public Network Access

17. Final Exam Strategy

For AZ-700:

If question mentions:

Private Endpoint not working
Hybrid environment
DNS resolution failure
Multiple VNets
Public access disabled

Immediately think:

This is a DNS configuration issue.

Most Private Link problems in exam questions are DNS-related.

Final Summary

Integrating Private Link and Private Endpoint with DNS ensures:

Azure services resolve to private IP addresses
Traffic remains inside Azure network
Public exposure is eliminated
Hybrid environments function correctly
Secure name resolution across VNets and on-premises

Without proper DNS configuration, Private Endpoints will not function correctly.