Sign in Subscribe

Azure Private Endpoint and DNS - How DNS works with Private Endpoints, and why it matters

Sakaldeep Yadav

3 min read

Are you building secure apps in Azure and keep hearing about “Private Endpoint” and “DNS,” but find the details confusing? You’re not alone! This post explains these concepts in simple terms, helping you understand how Private Endpoints work—and why DNS is so important.

What is an Azure Private Endpoint?

An Azure Private Endpoint lets your applications connect to Azure services (like Storage, Key Vault, or SQL Database) securely using a private IP address just for your network. Instead of sending traffic over the public internet, everything stays inside your own virtual network (VNet).

Why is this useful?
It keeps your data safe from outside threats and helps you meet security and compliance requirements. You can block public access to your resources so only your internal apps in Azure can talk to them.

Why is DNS Important for Private Endpoints?

Here's where things get tricky—and where many people get stuck!

When you connect to Azure services, you usually use a “hostname” instead of an IP address. For example, you might use:

  • myappstorage.blob.core.windows.net (for Azure Storage)
  • mykeyvault.vault.azure.net (for Key Vault)
  • mydb.database.windows.net (for SQL Database)

The issue:
When you create a Private Endpoint, the service's hostname doesn’t change. You still use the same name (e.g., myappstorage.blob.core.windows.net). But now you want that hostname to point to the new private IP in your VNet—not to the public IP address in Azure!

This is where DNS comes in. DNS translates hostnames into IP addresses. With Private Endpoints, DNS needs to translate the “usual” hostname into your private IP, so you connect privately.

How Does DNS Work with Private Endpoints?

Let’s break it down into clear steps:

Step 1: You create a Private Endpoint for your service

  • Your resource (like a Storage Account) gets a private IP in your VNet — e.g., 10.0.2.4

Step 2: Configure a Private DNS Zone

  • Azure has something called a Private DNS Zone.
  • You set one up matching your service, for example:
    • For Azure Storage: privatelink.blob.core.windows.net
    • For Key Vault: privatelink.vaultcore.azure.net
    • For SQL Database: privatelink.database.windows.net
  • The DNS Zone holds records that connect the hostname (e.g., myappstorage.blob.core.windows.net) to the private IP (10.0.2.4).

Step 3: Internal apps use DNS to connect

  • When your application or VM tries to reach myappstorage.blob.core.windows.net, Azure’s DNS automatically resolves it to your private IP, if your Private DNS Zone is set up correctly.

What if DNS is NOT configured?

If DNS isn’t set up, your applications will try to reach the public IP address of the service—over the internet. If you’ve blocked public access (which you should!), your connection will fail.

Types of DNS in Azure — Which Should You Use?

There are several DNS services in Azure, but here’s what matters most for Private Endpoints:

  • Azure DNS: Manages public DNS records for custom domains on the internet. Not for Private Endpoint connections.
  • Azure Private DNS Zones: Used for internal DNS records for your Private Endpoints—this is what you need!
  • Custom DNS: You may use your own DNS server (on-premises or in the cloud) if you want, but you must ensure it can resolve Azure Private Endpoint hostnames correctly.
  • Azure DNS Private Resolver: An advanced service for forwarding DNS queries between networks, especially useful in complex or hybrid setups.

For most use cases, Private DNS Zones are essential for your Private Endpoints to work smoothly.

Public DNS Zones vs. Private DNS Zones

  • Public DNS Zones: Used for exposing your own domain names to the internet (not relevant for Private Endpoint connectivity).
  • Private DNS Zones: Used to resolve Azure service hostnames to private IPs inside your VNet.

Summary - Making it All Work

In simple terms:
When you use a Private Endpoint, you must set up DNS so that your application connects to a service's hostname (like myappstorage.blob.core.windows.net) and gets the private IP address—not the public one.

How?

  • Create a Private Endpoint for your service
  • Create and link a Private DNS Zone for the service to your VNet
  • Make sure your applications use Azure DNS or your custom DNS that forwards to the Private DNS Zone

With this configuration:

  • Your traffic stays secure and private, inside Azure
  • Public access is blocked
  • Everything resolves correctly and your apps work

Next Steps:
In future posts, we’ll walk through setting up a Storage Account with a Private Endpoint and configuring DNS step-by-step—including using the Azure Portal and CLI commands.

Connect & Questions
Want to discuss Azure Private Endpoints, share feedback, or ask questions?
Reach out on X (Twitter) @sakaldeep Or connect with me on LinkedIn!

I look forward to connecting with fellow cloud professionals and learners.