Share via

Creating private endpoint using existing private DNS

prasantc 976 Reputation points
2023-08-25T13:19:26.18+00:00

I have an existing private DNS zone in azure is a separate service subscription with reader access.

private zone in this subscription is setup for auto registration of DNS.

For keyvault vaulcore primay zone is setup on this central subscription which has connectivity across all region.

Now I am creating private endpoint for Keyvault on Europe dev subscription. On the last step of private endpoint I am planning to point existing private endpoint in service subscription but it only has option to create new one. All I need is to create A record for this keyvault resource and eg xxx. which will make something like xxx.vaultocre.net recordset on the DNS zone is service subscription.

How do set this up? Do I need to create A record first? Do I need follow different step as private end point set up does not allow pointing to existing core DNS zone for KV or any other resource

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
775 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
551 questions
Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2023-08-28T06:20:24.1133333+00:00

    Hello @prasantc ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have an existing private DNS zone for a primary Key Vault setup with auto registration of DNS in a central Azure subscription with reader access, but now you are trying to create private endpoint for Key Vault on another subscription, and you would like to know how you can use the existing private DNS zone and not create a new one.

    As mentioned in the Private endpoint DNS integration doc,

    If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

    So, to make sure that the new private endpoint created in a different subscription is linked to the existing private DNS zone, you can link the existing private DNS zone deployed in the central subscription to a Virtual network deployed in your Europe dev subscription, from where you would like to resolve the Europe dev subscription Key Vault.

    To link a virtual network that belongs to a different subscription to an existing private zone, you must have write operation permission on the virtual networks and the private DNS zone.

    Refer: https://learn.microsoft.com/en-us/azure/dns/dns-faq-private#can-a-virtual-network-that-belongs-to-a-different-subscription-be-linked-to-a-private-zone-

    When creating the private endpoint for Key Vault on Europe dev subscription, set the Integrate with private DNS zone to NO. And then link the Europe dev subscription Virtual network to the existing Central private DNS zone.

    Once you link the private DNS zone to the Europe dev subscription Virtual network, you can manually create the DNS records as per requirement.

    For more information on such setups, refer the below article:

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.