Share via

Azure - Synapse

Ian Carrick (csu) 5 Reputation points
2025-05-07T18:36:13.05+00:00

The network design is a hub and spoke architecture.

There is a Synapse instance linked to a 'managed vnet'. Synapse needs to have two sets of 'managed private endpoints' linked to two separate storage accounts - each set containing a PEPs for; dfs, blob and queue.

The private-end-points for a 'sub resource type' (dfs, blob and queue) get added to the same private-dns-zone. After a while 'Azure Traffic Manager and DNS zone' deletes one set of PEPs from Synapse to one of the storage-accounts.

"Specifically, when multiple private endpoints for the same service are linked to a shared Private DNS Zone, Azure may automatically update or remove DNS records as part of its lifecycle management. This behavior can inadvertently lead to the deletion of associated private endpoints, especially if DNS integration settings are misaligned or if endpoints are reconfigured or removed.

Preventive Measures: To help prevent this from recurring, we recommend the following actions:

  1. Use Dedicated DNS Zones: Avoid linking multiple private endpoints for the same service to a single DNS zone. Instead, create isolated DNS zones per endpoint or sub-resource."

I am not clear on what "Instead, create isolated DNS zones per endpoint or sub-resource." means.

Can anyone help me understand?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
764 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shravan Addagatla 840 Reputation points Microsoft External Staff Moderator
    2025-05-07T20:11:41.1466667+00:00

    Hello @Ian Carrick (csu)

    I understand that you're looking for clarification on creating isolated DNS zones for private endpoints in your Azure Synapse setup.

    The recommendation to "create isolated DNS zones per endpoint or sub-resource" means that instead of using a single Private DNS Zone for multiple private endpoints of the same service, you should create separate Private DNS Zones for each endpoint or sub-resource.

    When multiple private endpoints for the same service share a single Private DNS Zone, Azure may automatically update or remove DNS records as part of its lifecycle management. This can lead to unintended deletions or misconfigurations, as you've observed.

    To prevent this, it's recommended to create separate DNS zones for each private endpoint. This involves:

    For each private endpoint (like dfs, blob, and queue), create a different Private DNS zone. This separation ensures that Azure’s management processes for one zone won't interfere with others, minimizing the chances of accidental deletions or misconfigurations.

    For example:

    • Create a DNS zone specifically for the dfs endpoint.
    • Create another DNS zone specifically for the blob endpoint.
    • And yet another for the queue endpoint.
    • privatelink.dfs.storageaccount1.net → Private DNS Zone for DFS of Storage Account 1
    • privatelink.blob.storageaccount1.net → Private DNS Zone for Blob of Storage Account 1
    • privatelink.queue.storageaccount1.net → Private DNS Zone for Queue of Storage Account 1

    By doing this, any changes made to the DNS records or endpoints of one service won't impact the others.

    I hope this clarifies things! If you have any additional questions or need further assistance, just add a comment below. so that we shall address your questions.

    Please click "Accept" the answer, if any answer/reply helped, so that others in the community facing similar issues can easily find the solution. This can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.