%20rotate(128)%20scale(520%20420)%22%3E%3Cstop%20stop-color%3D%22%23f97316%22%20stop-opacity%3D%220.7%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23f97316%22%20stop-opacity%3D%220%22%2F%3E%3C%2FradialGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D%221600%22%20height%3D%22900%22%20rx%3D%2248%22%20fill%3D%22url(%23bg)%22%2F%3E%3Crect%20width%3D%221600%22%20height%3D%22900%22%20rx%3D%2248%22%20fill%3D%22url(%23glow)%22%2F%3E%3Crect%20x%3D%2288%22%20y%3D%2288%22%20width%3D%221424%22%20height%3D%22724%22%20rx%3D%2236%22%20fill%3D%22rgba(15%2C23%2C42%2C0.78)%22%20stroke%3D%22rgba(248%2C250%2C252%2C0.12)%22%2F%3E%3Crect%20x%3D%2288%22%20y%3D%2288%22%20width%3D%221424%22%20height%3D%2216%22%20fill%3D%22url(%23accent)%22%2F%3E%3Ctext%20x%3D%2288%22%20y%3D%22176%22%20fill%3D%22rgba(248%2C250%2C252%2C0.72)%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2228%22%20font-weight%3D%22700%22%20letter-spacing%3D%226%22%3EAZURE%20NETWORKING%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22366%22%20fill%3D%22%23f8fafc%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2268%22%20font-weight%3D%22700%22%3EPrivate%20Endpoints%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22452%22%20fill%3D%22%23f8fafc%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2268%22%20font-weight%3D%22700%22%3E%26amp%3B%20DNS%20Hell%3C%2Ftext%3E%3Ctext%20x%3D%2288%22%20y%3D%22770%22%20fill%3D%22rgba(248%2C250%2C252%2C0.52)%22%20font-family%3D%22JetBrains%20Mono%2C%20Arial%2C%20sans-serif%22%20font-size%3D%2226%22%20letter-spacing%3D%223%22%3Eabhinavyadav.dev%20%2F%20blog%3C%2Ftext%3E%3C%2Fsvg%3E)
Why Private Endpoints Break Your DNS (And How to Fix It)
Private Endpoints are one of Azure's most powerful security features — they pull a PaaS service (like Azure SQL, Storage, or Key Vault) into your VNet with a private IP. No public internet exposure. Traffic never leaves the Microsoft backbone.
They also break DNS in at least four non-obvious ways.
This is the troubleshooting guide I wish existed when I spent a Friday night at 11pm debugging why was resolving to from inside a peered VNet instead of the private IP.
How Private Endpoint DNS Is Supposed to Work
When you create a Private Endpoint for a Storage account:
- Azure creates a NIC in your subnet with a private IP (e.g., )
- A Private DNS Zone () is created
- A DNS A record maps →
- The public DNS CNAME chain redirects to the privatelink zone:
Simple. Until it isn't.
Gotcha #1: The Private DNS Zone Is Not Linked to Your VNet
This is the most common error. You create the Private Endpoint, the Private DNS Zone gets created, but nobody linked the zone to the VNet.
Symptom: from a VM in the VNet returns the public IP.
Fix:
Gotcha #2: VNet Peering Doesn't Share DNS Zones
You have two VNets — and — connected via peering. The Private DNS Zone is linked to . VMs in still can't resolve the private endpoint.
VNet peering forwardsIP traffic but does NOT forward DNS queries across the peering link by default. Each VNet needs its own link to the Private DNS Zone.
Symptom: DNS works from VMs in , fails from even though routing works.
Fix: Link the Private DNS Zone to every VNet that needs to resolve it:
If you have a hub-spoke topology with many spokes, automate this with a policy:
Gotcha #3: On-Premises DNS Forwarding
Your on-premises DNS server is forwarding all queries to Azure. But it's forwarding to (Azure's magic DNS IP) which only works from within an Azure VNet — not from your on-premises network.
Symptom: DNS for private endpoints works from Azure VMs, fails from on-premises servers.
Architecture fix: Set up an Azure Private DNS Resolver (or a DNS forwarder VM in your VNet) and configure your on-premises DNS to forward zones to it:
Gotcha #4: The Split-Horizon Problem with Azure SQL
Azure SQL's Private Endpoint configuration uses a different FQDN pattern. The CNAME chain goes through a redirect:
The inner CNAME () is a publicly resolvable name that maps to the private IP. If your firewall does DNS inspection and blocks external lookups, this chain breaks.
Fix: Ensure your DNS resolver can reach or configure a conditional forwarder specifically for it.
Diagnostic Checklist
When a Private Endpoint DNS resolution fails, run through this in order:
Use over — it shows the full CNAME chain and the server that answered the query, making split-horizon issues immediately visible.