5.1.3. DNS Integration

DNS is the most common point of failure with Private Endpoints.

The Problem: By default, contoso.blob.core.windows.net resolves to a public IP. You need it to resolve to your private endpoint IP.

Solution: Private DNS Zones

Resolution Flow:

1. VM queries: contoso.blob.core.windows.net
2. Azure DNS returns CNAME: contoso.privatelink.blob.core.windows.net
3. Private DNS zone (linked to VNet) resolves: 10.0.1.10
4. VM connects to private IP

Automatic DNS Integration: When creating a Private Endpoint, select "Integrate with private DNS zone" to automatically:

• Create the private DNS zone (if needed)
• Link zone to VNet
• Create A record for endpoint

On-Premises DNS:

For on-premises clients to resolve private endpoints:

1. Deploy DNS Private Resolver with inbound endpoint
2. Configure on-premises DNS to forward Azure zones to the inbound endpoint IP
3. Or deploy DNS forwarders in Azure

⚠️ Exam Trap: Private Endpoints don't automatically disable public access. You must explicitly disable public network access on the resource.