Hey everyone! I'm dealing with a networking setup where I've got a Hub VNet equipped with a private DNS resolver and two Spoke VNets, which I'll call vnet1 and vnet2. In vnet1, there's a VM, and in vnet2, there's a storage account that has a private endpoint with the public endpoint turned off.
I've only set up the inbound endpoint for the DNS resolver, and both VNets use this as their DNS server. The trouble I'm facing is that my VM in vnet1 can't resolve the private IP of the storage account's FQDN. I think the issue might be that the private resolver needs a forwarding rule to connect with the private DNS zone linked to vnet2, but I'm not sure what IP to use for that rule.
I'm looking for guidance on how to set up DNS connectivity so that resources across different VNets can effectively utilize private endpoints. A few constraints I'm working with: I can't create a central private DNS zone for each resource and link the multiple VNets. Plus, in the future, there will be more VNets connected to this hub that don't belong to my team, so I'm leaning towards a solution that's straightforward and scalable. I'm trying to avoid having a DNS server in each VNet unless it's absolutely necessary.
2 Answers
When you set up a private endpoint for your storage account, Azure automatically creates a privatelink.* Private DNS zone that includes an A record for that private endpoint IP. If that Private DNS zone is only linked to vnet2, the resolver in the hub VNet won't see those records by default.
The simplest fix is to link the storage account’s privatelink.* DNS zone to the hub VNet — that's where your Private DNS Resolver and inbound endpoint are. This way, multiple VNets can use one DNS zone, which simplifies things significantly. Keep your spokes pointing to the hub resolver as their DNS server, and your queries from vnet1 to .blob.core.windows.net will reach the hub resolver, allowing it to see the linked privatelink zone and return the private IP. This should resolve your issue!
Quick question: why do you have a DNS zone linked to vnet2? Typically, everything should get linked to the hub VNet where your DNS resolver is located. By doing this, you ensure better visibility across your VNets.
Thanks for your reply! I need each VNet to maintain its own private DNS zones to avoid conflicts, especially since multiple VNets might have DNS zones with the same namespace. Linking everything to the hub could create issues. Hope that clears things up!