Storage Failover DNS mapping using Azure policy

Question

Storage Failover DNS mapping using Azure policy

Suraj Singh Thakur 21

Need a plan for storage failover scenario, how to update the secondary private endpoint in private DNS zone using azure policy?

Please suggest some work around in terms of automating the update of DNS mapping in storage failover.

We are following this doc https://learn.microsoft.com/en-us/azure/storage/common/storage-failover-private-endpoints but this doesn't tell us about the where azure policy is handling the DNS mapping.

Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator

2025-06-04T11:13:02.29+00:00

Hi Suraj Singh Thakur

Just checking in to see if the below answer provided by @Marcin Policht helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator

2025-06-05T11:19:26.7933333+00:00

Hi Suraj Singh Thakur

Just checking in to see if the below answer provided by @Marcin Policht helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know

1 answer

Your answer

Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator

2025-06-04T11:13:02.29+00:00

Hi Suraj Singh Thakur

Just checking in to see if the below answer provided by @Marcin Policht helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator

2025-06-05T11:19:26.7933333+00:00

Hi Suraj Singh Thakur

Just checking in to see if the below answer provided by @Marcin Policht helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know

Answer 1

The Microsoft documentation explains what happens during failover but not how to automate DNS updates using Azure Policy, because Azure Policy is not designed to perform resource updates or runtime automation tasks like DNS record changes. Azure Policy is a compliance and governance tool, not an automation tool. It evaluates resources at creation or modification time, not during failover. Policies can, for example, audit if a private DNS zone exists or has a required A record, deny deployment if criteria are not met, but not update or change DNS records when failover happens.

To handle automatic DNS updates after a failover event, consider this automation plan using Azure-native tools:

Detect failover

Use Azure Resource Graph, Azure Monitor alert, or log-based queries to detect a failover. This could be:

Blob Storage serviceStats or health metrics.
Event Grid (if you have a health probe monitoring solution).
Or use Get-AzStorageAccountFailoverReplicationPolicyStatus periodically.

Trigger Automation runbook or Logic App

When failover is detected trigger an Azure Automation Runbook, Logic App, or Function App.

Update the DNS mapping

In the runbook or function:

Use PowerShell or Azure CLI to:
- Get the new private IP of the secondary endpoint.
- Update the A record in the private DNS zone.

# Example PowerShell snippet
$dnsZone = "privatelink.blob.core.windows.net"
$recordName = "<storageaccountname>"
$resourceGroup = "<dns-zone-resource-group>"

# Get private endpoint IP
$privateEndpoint = Get-AzPrivateEndpoint -Name "<secondary-endpoint-name>" -ResourceGroupName "<resource-group>"
$ip = $privateEndpoint.CustomDnsConfigs[0].IpAddresses[0]

# Update A record
Remove-AzPrivateDnsRecordSet -Name $recordName -ZoneName $dnsZone -ResourceGroupName $resourceGroup -Force
New-AzPrivateDnsRecordSet -Name $recordName -ZoneName $dnsZone -ResourceGroupName $resourceGroup -RecordType A -Ttl 3600 -DnsRecords (New-AzPrivateDnsRecordConfig -IPv4Address $ip)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Suraj Singh Thakur 21 Reputation points

2025-06-04T14:31:58.9833333+00:00

@Marcin Policht Thanks for the response, So the problem we have is the, when we create the secondary private endpoint for the same storage account. The azure policy enforces the mapping secondary private endpoint ip in privatelink.blob.core.windows.net. which override the primary endpoint ip before the failover happened.

Is there any we can give exception in the Azure policy so such scenario?
Marcin Policht 49,715 Reputation points MVP Volunteer Moderator

2025-06-04T15:01:14.8666667+00:00

Here are a few options to consider:

Option 1: Use resource tags to exclude secondary endpoints

Modify the Azure Policy definition to include a condition that excludes resources with a specific tag, e.g., purpose=secondary.

Tag your secondary private endpoints as:

"tags": { "purpose": "secondary" }

Add a condition in the policy rule:

"if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/privateEndpoints" }, { "not": { "field": "tags.purpose", "equals": "secondary" } } ] }

Option 2: Use excludedScopes in assignment

If the secondary endpoints live in a dedicated resource group, or even better, a naming pattern, you can scope the assignment to exclude those resources. In your policy assignment, add:

"excludedScopes": [ "/subscriptions/<sub-id>/resourceGroups/rg-storage-secondary" ]

Or if you use naming:

"field": "name", "notLike": "*-secondary"

Option 3: Custom Policy logic based on Storage Account failover priority

If you're deploying the private endpoints through Bicep/ARM templates or Terraform, you can add metadata (e.g., custom tags or naming patterns) that your policy can use to:

Allow only 1 active DNS A record per storage account.

Defer enforcement on resources marked with failoverReady=true.

This requires more custom policy logic, but is more flexible.

Option 4: Disable auto DNS integration for Secondary Endpoint

When creating the secondary private endpoint:

Set "Integrate with private DNS zone" = No during creation.

Then use automation to inject the A record only upon actual failover.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Storage Failover DNS mapping using Azure policy

1 answer

Your answer