Automation Accounts and Private Endpoints DNS records

J Rippon 81 Reputation points
2022-11-24T10:18:53.927+00:00

We are currently deploying Private Endpoints to a Azure Automation account to connect to three separate subscriptions containing VMs.

I can deploy the Private Endpoints in both pending approval ie 'manualPrivateLinkServiceConnections' and pre approved 'privateLinkServiceConnections' fine but when I look in the Private DNS zone I only every see two A records containing the IPs for the last Private Endpoint deployed ( Shown below)

263839-dns.png

I have tried specifying unique FQDNs within my Bicep code ( shown below) but they never seem to appear

So my questions are

  1. Is this expected configuration or should each Private Endpoint have its own unique FQDN and A record?
  2. Why do specified FQDNs never show? is it possible to see them? `resource privateEndpoint 'Microsoft.Network/privateEndpoints@2022-05-01' = {
    name: 'PrivateEndpoint11'
    location: resourceGroup().location
    properties: {
    subnet: {
    id: PrivateEndpointid
    }
    customNetworkInterfaceName: 'interface-pen'
    ipConfigurations: [
    {
    name: 'ipconfig1'
    properties: {
    groupId: 'DSCAndHybridWorker'
    memberName: 'AgentService'
    privateIPAddress: '10.2.1.22'
    }
    }
    {
    name: 'ipconfig2'
    properties: {
    groupId: 'DSCAndHybridWorker'
    memberName: 'JRDS'
    privateIPAddress: '10.2.1.23'
    }
    }
    ]
    customDnsConfigs: [
    {
    fqdn: 'PrivateEndpoint11.agentsvc.uks.privatelink.azure-automation.net'
    ipAddresses: [
    '10.2.1.22'
    ]
    }
    {
    fqdn: 'PrivateEndpoint11.jrds.uks.privatelink.azure-automation.net'
    ipAddresses: [
    '10.2.1.23'
    ]
    }
    ]
    privateLinkServiceConnections: [
    {
    name: 'aa-connection11'
    properties: {
    groupIds: [
    'DSCAndHybridWorker'
    ]
    privateLinkServiceId: ata.id
    }
    }
    ]
    }
    tags: p_tags
    } resource privateEndpointDNS 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = {
    name: '${privateEndpoint.name}/default'
    properties: {
    privateDnsZoneConfigs: [
    {
    name: 'privatelink.azure-automation.net'
    properties: {
    privateDnsZoneId: resourceId('Microsoft.Network/privateDnsZones', 'privatelink.azure-automation.net')
    }
    }
    ]
    }
    }
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
631 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,558 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,191 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. AnuragSingh-MSFT 21,246 Reputation points
    2022-12-05T09:15:02.587+00:00

    @J Rippon , I am sorry for the delayed response. Here is some information that should help you regarding this (I dont have multiple subscriptions, but simulated it based on VNets from different resource groups)

    1. Private endpoints would not have unique FQDN. It would be in the format of
    <Automation-Resource-GUID>.agentsvc.cid...

    Please see How Private Link in Azure Automation work to understand more about it. When private endpoint is enabled, the respective jrds and webhook URLs resolve to the private IP assigned to automation account's endpoint in the VNET. Please see this link for more details - Use Azure Private Link to securely connect networks to Azure Automation

    Therefore, the URLs would not be unique, but the private IP assigned to Account's private end point would change depending on the VNET. If you try to create a new private endpoint using the already created DNSZone (in same RG), the last updated information will persist.

    2. The URLs cannot be changed to custom FQDN. They would follow the pattern as seen in the portal, similar to <automation account id>.jrds.cid.azure-automation.net Please see support for private links in Azure Automation for more details.

    Hope this helps.

    1 person found this answer helpful.

  2. J Rippon 81 Reputation points
    2022-12-13T09:37:50.717+00:00

    Thank you for the responses they were very helpful.

    I actually found the resolution to be just to deploy a single Private Endpoint into our hub subscription and use the peering to connect to each of our spokes.

    This is different to how the documentation suggests but since you can only have a single FQDN on a Private Endpoint it gives us the required result.

    1 person found this answer helpful.

  3. msrini-MSFT 9,271 Reputation points Microsoft Employee
    2022-11-26T08:39:02.263+00:00

    Hi,

    Can you check if you are creating multiple Private DNS Zones with the same names for each of your automation accounts .?

    If yes, you will need to choose the existing Private DNS Zones when you enable Private endpoint for automation accounts.

    Regards,
    Karthik Srinivas