![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hello @Julie,
Hope you're doing well!
Thanks for reaching out to Microsoft Q&A.
When you connect to an Azure SQL Managed Instance using a private DNS zone, the TLS certificate you get from Microsoft only includes the public service name (the public fully qualified domain name or FQDN). It doesn’t include any private or custom DNS names you might have set up. This is how it’s designed.
Microsoft manages these TLS certificates for all SQL Managed Instances centrally to keep things secure, compliant, and scalable. The certificates are issued for the public domain—that’s the domain everyone uses, like *.database.windows.net. They don’t cover any private or custom DNS names customers might create.
If Microsoft were to include private or custom DNS names, they would have to make a separate certificate for every customer’s private DNS. In a cloud where many customers share resources, this isn’t practical or safe.
Here’s why private or custom hostnames aren’t in the certificates:
- It would mean Microsoft has to create and manage certificates for every unique private DNS name, which is too complex and not secure for a shared cloud environment.
- Certificates are the same across all Azure SQL services to keep security checks consistent and meet Microsoft’s strict policies.
- Azure SQL Managed Instance always uses the public FQDN to verify identity. So even if you connect through a private endpoint or DNS alias, your connection has to use the public FQDN so it matches the certificate.
The TLS certificates are fully managed by Microsoft, and customers can’t upload or use their own certificates for the managed instance.
What Microsoft suggests when using a private or internal DNS name to connect:
- Always use the public FQDN of the Managed Instance in your connection string, even if you’re using private endpoints. This makes sure the TLS certificate matches and the connection is trusted.
- If you must use a private DNS name, configure your SQL client like this:
- Set
HostNameInCertificateto the public FQDN.- Set
TrustServerCertificate=Trueonly if you trust the connection and want to skip hostname checking.
- Set
- Set
These settings let your client correctly verify the certificate using the public hostname, even if you connect with a private DNS name.
Supporting Documents:
Resolve private domain names - Azure SQL Managed Instance | Microsoft Learn
Connectivity architecture - Azure SQL Managed Instance | Azure Docs
SqlConnectionStringBuilder.TrustServerCertificate Property (System.Data.SqlClient) | Microsoft Learn
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".