1.2 Design and Implement Name Resolution
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is Azure DNS Private Resolver?
Azure DNS Private Resolver is a managed Azure service that allows Azure virtual networks (VNets) to resolve DNS names between Azure and on-premises or other external networks.
In simple words:
- It helps Azure resources ask DNS questions outside Azure
- It also allows external systems to ask DNS questions about Azure private DNS zones
Azure DNS Private Resolver works inside a VNet and acts as a bridge between:
- Azure private DNS
- On-premises DNS servers
- Other DNS servers reachable over VPN or ExpressRoute
2. Why Azure DNS Private Resolver is Needed
Before this service existed:
- Azure VNets could use Azure-provided DNS
- Or manually configure custom DNS servers (VMs)
Problems with older methods:
- You had to deploy and manage DNS VMs
- High availability was your responsibility
- Scaling and security were complex
- DNS forwarding between Azure and on-premises required custom setup
Azure DNS Private Resolver solves these problems by:
- Being fully managed
- Providing high availability by default
- Supporting DNS forwarding
- Removing the need for DNS VMs
3. Key Use Cases (Exam-Relevant)
Azure DNS Private Resolver is used when:
- Azure resources must resolve on-premises domain names
- On-premises systems must resolve Azure private DNS zones
- DNS traffic flows through VPN or ExpressRoute
- You want a central DNS resolution architecture
- You want to avoid managing DNS servers manually
4. High-Level Architecture
Azure DNS Private Resolver has two main components:
- Inbound Endpoint
- Outbound Endpoint
These endpoints are deployed inside a VNet and use dedicated subnets.
5. Inbound Endpoint (Very Important for Exam)
What is an Inbound Endpoint?
An Inbound Endpoint allows external DNS clients to send DNS queries into Azure.
Who sends queries?
- On-premises DNS servers
- VMs in other VNets
- External networks connected via VPN or ExpressRoute
What happens?
- External systems query the inbound endpoint
- The resolver answers using:
- Azure Private DNS zones
- Linked VNets
Key Exam Points
- Inbound endpoint has private IP addresses
- It must be placed in a dedicated subnet
- Subnet cannot contain other resources
- Used mainly for on-premises → Azure name resolution
6. Outbound Endpoint (Very Important for Exam)
What is an Outbound Endpoint?
An Outbound Endpoint allows Azure resources to send DNS queries outside Azure.
Who sends queries?
- Azure VMs
- Azure services inside VNets
Where do queries go?
- On-premises DNS servers
- External DNS servers reachable via VPN/ExpressRoute
Key Exam Points
- Outbound endpoint is deployed in a dedicated subnet
- Used with DNS forwarding rules
- Enables Azure → on-premises name resolution
7. DNS Forwarding Ruleset
What is a DNS Forwarding Ruleset?
A DNS forwarding ruleset defines:
- Which DNS queries should be forwarded
- Where they should be forwarded
Each rule includes:
- Domain name (for example: corp.contoso.com)
- Target DNS server IP addresses
How it Works
- Azure resource sends a DNS query
- Outbound endpoint receives the query
- Resolver checks the ruleset
- Query is forwarded to the correct DNS server
Exam Notes
- Rulesets are linked to VNets
- Multiple VNets can share the same ruleset
- Rules are evaluated based on domain name
8. Required Subnets (Very Important for Exam)
Azure DNS Private Resolver requires two dedicated subnets:
| Subnet Purpose | Requirement |
|---|---|
| Inbound endpoint subnet | Dedicated, no other resources |
| Outbound endpoint subnet | Dedicated, no other resources |
Key rules:
- Subnets cannot contain VMs
- Subnets must be inside the same VNet
- Subnet size must allow endpoint IP allocation
9. Integration with Azure Private DNS Zones
Azure DNS Private Resolver works closely with:
- Azure Private DNS zones
- VNet links
Important points:
- Inbound endpoint resolves names from linked private DNS zones
- Outbound endpoint forwards queries not resolvable in Azure
- Private DNS zones must be linked to VNets
10. Network Connectivity Requirements
Azure DNS Private Resolver requires:
- VPN Gateway or ExpressRoute for on-premises communication
- Proper routing between VNets and on-premises
- DNS traffic (UDP/TCP port 53) allowed
Exam tip:
- DNS Private Resolver does not create connectivity
- It uses existing network connections
11. Security Considerations
Azure DNS Private Resolver:
- Uses private IP addresses only
- Is not exposed to the public internet
- Works within Azure virtual network boundaries
- Supports network security groups (NSGs)
Best practices:
- Restrict DNS traffic using NSGs
- Deploy resolver in a hub VNet if using hub-and-spoke design
12. High Availability and Scalability
Important exam facts:
- Azure DNS Private Resolver is highly available by default
- No need to configure failover
- Microsoft manages scaling
- No SLA management required by the customer
13. Cost Considerations (Basic Exam Knowledge)
Costs are based on:
- Number of inbound endpoints
- Number of outbound endpoints
- Number of DNS queries processed
You do not pay for:
- Private DNS zones resolution inside Azure without resolver
14. Design Best Practices (Exam-Focused)
For AZ-700 exam:
- Use Azure DNS Private Resolver instead of DNS VMs
- Place resolver in a hub VNet
- Use outbound endpoints + forwarding rules for Azure → on-premises
- Use inbound endpoints for on-premises → Azure
- Always use dedicated subnets
15. Common Exam Scenarios
You should choose Azure DNS Private Resolver when:
- Azure and on-premises DNS integration is required
- Private DNS zones must be accessible externally
- DNS VMs are not preferred
- High availability is required without manual setup
You should NOT use it when:
- Only Azure internal name resolution is needed
- No external DNS integration exists
16. Summary (For Quick Revision)
- Azure DNS Private Resolver enables hybrid DNS resolution
- It has inbound and outbound endpoints
- Requires dedicated subnets
- Uses DNS forwarding rulesets
- Integrates with Private DNS zones
- Fully managed, secure, and highly available
- Critical for hub-and-spoke and hybrid designs
