Multiple Private Endpoints for same resource type in the same VNet

simon 21 Reputation points
2022-08-01T12:47:16.453+00:00

Hi everyone,

following situation:
I got 2 Key Vaults in the same VNet but in different Subnets. Also I got already one Private Endpoint with a Private DNS zone for 1 of the 2 Key Vaults.
Now I want to connect to the second Key Vault as well via Private Endpoint.

Microsoft is saying this:

Existing Private DNS Zones tied to a single service should not be associated with two different Private Endpoints as it will not be possible to properly resolve two different A-Records that point to the same service.

So is there a solution for my problem?

Thank's in advance!

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,138 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
603 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,184 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
470 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee
    2022-08-02T04:43:16.95+00:00

    Hi @simon ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you are looking forward to adding two Keyvaults' private IP in a single private DNS Zone as A record.

    In a private DNS Zone, you can have only one A record with a particular name.

    • This is important as if we were to have multiple A records, the resolver will not know which IP to return
    • The point you have highlighted talks about the above only

    You can definitely have multiple A records as long as they have different names.
    For e.g,
    keyvault1.privatelink.vault.azure.net and keyvault2.privatelink.vault.azure.net can co-exist in a single Private Zone.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
    226997-image.png

    I hope this answers your query. Please feel free to let me know should there be any follow-up queries.
    If this answer was helpful, kindly consider accepting the same as it may be beneficial to other community members

    Cheers,
    Kapil

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest