Azure Key Vault Private Endpoint to resolve to a newly created Private DNS Zone

Sathiya Maniam 5 Reputation points
2023-11-23T22:42:41.72+00:00

Hi Team,

I was trying to setup a new Private DNS Zone for Azure Key Vault Private Endpoint, instead of utilizing Azure Provided DNS (privatelink.vaultcore.azure.net)

This is what was created:

  • Newly created Private DNS Zone: jupiter.core.net
  • Created Azure Key Vault Private Endpoint: hellokv123
  • In the new Private DNS Zone, specified the A record to the Key Vault Private Endpoint IP Address
  • New Private FQDN name for the Azure Key Vault Private Endpoint: hellokv123.jupiter.core.net

Troubleshooting Steps:
Logged into the Virtual Machine, launch Powershell to perform 'nslookup'

  1. When i add the DNS configuration to associate with newly created Private DNS Zone, this was how it was configured by Azure, NO FQDN & NO IP ADDRESS:
    Note: It is not like this when did with Azure Provided DNS (FQDN & IP Address appears as normal)

User's image

  1. When i perform 'nslookup' of the KeyVault with the newly created private DNS FQDN, it resolves with no issue. Please refer to the screenshot.
    Resolved to Private DNS
  2. When i perform 'nslookup' of the KeyVault with the 'public DNS' FQDN, it does not resolve to the private DNS that was created. Please refer to the screenshot.

Not resolved to Private DNS

  1. Even than, i tried to access the the Key Vault after logging, it prompted the below error:

User's image

From the above, i am thinking the Azure is not registering the newly created Private DNS zone that's being created? If that's so, why? What's the benefit of creating a new private DNS zone when it's not able to be recognized by Azure?

When there's no issue when resolving to Azure provided DNS "privatelink.vaultcore.azure.net", why there's an issue with a newly created Private DNS Zone, when by logic & rightfully, it should work the same.

Private DNS Zone creation is up to the customer's choice of what DNS zone they would like to name & configure and assign the resources. (DNS Zone name can be of any choice by the customer) There isn't a necessity for an organization to use the Azure provided DNS specifically for all the resources. And if that's the manner, than why there is an option to create 'A new private DNS Zone?"

Customers should not be pushed to create several DNS Servers, DNS Forwarders, DNS Rulesets or even have a Hybrid solution when they are unable to maximize the feature of a new Private DNS Zone feature in Azure Cloud to perform the necessary connectivity & resolution within the Cloud Platform.

Is there any way, with the same steps that will be taken to set an A record for the Azure Key Vault Private Endpoint with the Azure provided DNS and able to resolve automatically with the newly created Private DNS Zone?

  • When i perform nslookup "hellokv123.vault.azure.net" it resolves to "privatelink.vaultcore.azure.net"
    User's image
  • THE SAME should apply when i perform nslookup "hellokv123.vault.azure.net", it SHOULD resolve to hellokv123.jupiter.core.net (10.0.0.6) with the aliases of hellokv123.vault.azure.net

I would like a solution for the above i asked and not any other recommendations/solutions to configure any other additional components, just ONLY with the Newly Created Private DNS Zone to be able to resolve within the Cloud Platform which it should have been pretty straight forward.

I appreciate your time & patience in reading my post.
Looking forward to your solution & advise.

Thanks
Sathiya

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
631 questions
{count} vote