1.2 Design and Implement Name Resolution
📘Microsoft Azure Networking Solutions (AZ-700)
What Is a Private DNS Zone?
A Private DNS Zone in Azure is used to resolve private domain names to private IP addresses inside Azure virtual networks (VNets).
It allows Azure resources such as:
- Virtual machines
- Internal load balancers
- Private endpoints
- Azure PaaS services
to communicate using DNS names instead of IP addresses, without exposing them to the internet.
Private DNS zones are used only inside private networks, not for public websites.
Why Private DNS Zones Are Needed
In Azure, resources often:
- Have dynamic private IP addresses
- Are created and deleted frequently
- Must communicate securely inside a VNet or between VNets
Private DNS zones provide:
- Name resolution inside VNets
- Automatic DNS record management
- Centralized DNS for private services
- Secure internal communication
Difference Between Public DNS Zone and Private DNS Zone
| Feature | Public DNS Zone | Private DNS Zone |
|---|---|---|
| DNS resolution | Internet-based | Internal (VNet only) |
| Visibility | Public | Private |
| Used for | Public websites and apps | Internal Azure resources |
| Supports VNet linking | ❌ No | ✅ Yes |
| Used with Private Endpoints | ❌ No | ✅ Yes |
What Is Inside a Private DNS Zone?
A private DNS zone contains DNS records, just like traditional DNS.
Common record types:
- A record – Maps a name to an IPv4 address
- AAAA record – Maps a name to an IPv6 address
- CNAME record – Alias to another DNS name
- SOA record – Start of Authority (created automatically)
Azure automatically manages many records when used with private endpoints.
Private DNS Zone Namespace
A private DNS zone uses a custom domain name, for example:
internal.contoso.comprivatelink.database.windows.netcorp.local
The domain name does not need to be registered publicly.
Virtual Network (VNet) Linking
Private DNS zones do not work until they are linked to a VNet.
What Is VNet Linking?
VNet linking allows:
- Resources inside a VNet to resolve DNS names from the private DNS zone
Key Points:
- One private DNS zone can be linked to multiple VNets
- A VNet can be linked to multiple private DNS zones
- VNets can be in different subscriptions
- VNets can be in different regions
Registration vs Resolution in VNet Links
When linking a VNet, you choose one of two options:
1. Resolution Only
- Resources can resolve DNS records
- No automatic record creation
2. Registration Enabled
- Azure automatically creates A records
- Used mainly for virtual machines
- Only one VNet can have auto-registration enabled per zone
Automatic DNS Record Registration
Automatic registration:
- Works with Azure virtual machines
- Creates DNS records automatically when a VM is created
- Updates records when IP addresses change
- Deletes records when the VM is deleted
This reduces manual DNS management.
Private DNS Zones and Private Endpoints (VERY IMPORTANT FOR EXAM)
Private DNS zones are critical for Private Endpoint connectivity.
How It Works:
- A Private Endpoint assigns a private IP to a PaaS service
- Azure creates a DNS record automatically
- The record points the service name to a private IP
- Traffic stays inside the Azure network
Common Private DNS Zones Used by Azure Services:
| Service | Private DNS Zone |
|---|---|
| Azure SQL Database | privatelink.database.windows.net |
| Azure Storage | privatelink.blob.core.windows.net |
| Azure Web Apps | privatelink.azurewebsites.net |
Name Resolution Flow Using Private DNS Zones
- A resource sends a DNS query
- Azure checks:
- Private DNS zones linked to the VNet
- If record exists:
- Private IP address is returned
- Traffic stays inside Azure
No internet access is used.
Cross-VNet Name Resolution
Private DNS zones support:
- Hub-and-spoke network designs
- Shared DNS architecture
Example:
- Private DNS zone linked to:
- Hub VNet
- Multiple spoke VNets
All VNets can resolve the same private names.
Private DNS Zone vs Azure-Provided DNS
| Feature | Azure-Provided DNS | Private DNS Zone |
|---|---|---|
| Custom domain names | ❌ No | ✅ Yes |
| Automatic VM registration | ❌ No | ✅ Yes |
| Works with private endpoints | Limited | Fully supported |
| Centralized management | ❌ No | ✅ Yes |
Security Benefits
Private DNS zones:
- Prevent DNS exposure to the internet
- Support zero-trust network designs
- Work with network security groups (NSGs)
- Support private-only access to services
High Availability and Reliability
Private DNS zones:
- Are globally available
- Are fully managed by Azure
- Do not require DNS servers
- Do not require backups
- Automatically scale
Exam Design Considerations (VERY IMPORTANT)
For AZ-700, remember:
✔ Use Private DNS Zones when:
- Resolving private IP addresses
- Using Private Endpoints
- Designing internal Azure networks
✔ Link the DNS zone to:
- All VNets that require name resolution
✔ Use auto-registration only when:
- You want automatic VM DNS records
✔ One VNet per zone can have:
- Auto-registration enabled
✔ Private DNS zones:
- Do not support public internet queries
Common Exam Traps to Avoid
❌ Assuming private DNS zones work without VNet linking
❌ Using public DNS zones for private endpoints
❌ Forgetting to link DNS zones to all VNets
❌ Thinking private DNS zones replace on-premises DNS completely
❌ Enabling auto-registration on multiple VNets for the same zone
Summary (Quick Revision)
- Private DNS zones resolve private names to private IPs
- Used for internal Azure communication
- Must be linked to VNets
- Support Private Endpoints
- Support automatic DNS record registration
- Are secure, scalable, and managed
- Very important for AZ-700 exam
