Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is Azure Private DNS Zone Group?

Tags:

azure

azure-dns

azure-private-dns-zone

I am automating some process with Azure Private DNS Zone and Private Endpoint. I have encountered with Private DNS Zone Group resource. There is a Rest API for this resource, here . But I couldn't find any documentation on the internet explaining the function of it. Neither, I could find it on the portal.

Any idea about its function?

like image 900
MoonHorse Avatar asked Nov 17 '25 06:11

MoonHorse

2 Answers

Private DNS Zone Groups are a kind of link back to one or multiple Private DNS Zones. With this connection, an A-Record will automatically be created, updated or removed on the referenced Private DNS Zone depending on the Private Endpoint configuration.

This setting is analog to the following setting during manual creation in Azure Portal UI: enter image description here

The account that adds the PrivateDNSZoneGroup needs to have the following permission on the Private DNS Zone:

  • Microsoft.Network/privateDnsZones/join/action

Example Scenario:

Hub and Spoke architecture. Hub has the Private DNS Zone for e.g. PostgreSQL Server with the name: privatelink.postgres.database.azure.com

Private Endpoints are created where the Service resides, e.g. a Spoke Subscription. The Private DNS Zone Group configuration on the Private Endpoint pointing to the Private DNS Zone in the Hub-Subscription.

With this setup, A-Records within the Private DNS Zone are maintained automatically.

With Azure DevOps, your Service Connection / Service Principal needs the following permission on the Private DNS Zones in the Hub, e.g. via a Custom Role: Microsoft.Network/privateDnsZones/join/action

An ARM template would look similar to this:

{
"type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
"apiVersion": "2021-03-01",
"name": "[concat(parameters('privateEndpointName'),'/customdnsgroup')]",
"location": "[parameters('location')]",
"dependsOn": [
    "[parameters('privateEndpointName')]"
],
"properties": {
    "privateDnsZoneConfigs": [
        {
            "name": "exampleConfig",
            "properties": {
                "privateDnsZoneId": "[parameters('privateDnsZoneResourceId')]"
            }
        }
    ]
  }
}

Additional Note: For me it only worked properly when the name of the Private DNS Zone was set to the official privatelink-FQDN of the specified resource. Otherwise, the A-Record was not automatically created.

Additional References

  • https://bloggerz.cloud/2020/12/18/azure-private-link-and-dns/
  • https://learn.microsoft.com/en-us/azure/dns/dns-protect-private-zones-recordsets
like image 150
Christoph Avatar answered Nov 18 '25 21:11

Christoph

Also interested in this as have recently come across it.

Appears that in a hub/spoke implementation it allows the private dns zones to be created once in hub e.g. privatelink.file.core.windows.net

The zone group configuration allows spoke accounts to register in this zone, rather that having privatelink.file.core.windows.net zone in each spoke account.

With this configuration all name resolution goes via central DNS lookup from hub. e.g. if your org is connecting from on-prem then you can resolve names for private endpoints in spoke accounts.

Not sure why this configuration is only exposed through API though.

like image 26
CPott Avatar answered Nov 18 '25 21:11

CPott

Sign in to Comment

Related questions

CngKey System.Security.Cryptography.CryptographicException The system cannot find the file specified on Azure

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!