Share via

Cannot link Azure created private DNS zone with a custom created private DNS Zone

Khushaboo Shandilya 1 Reputation point
2021-05-13T08:16:48.267+00:00

Scenario:

We have a storage account - teststorageaccount.
We created a Virtual Network with a subnet (pvtsubnet)
Then we created a Private Endpoint for the storage account using Private Endpoint tab under Networking section.
We specified below:

  1. resource group
  2. component of storage account - blob
  3. private endpoint name
  4. virtual network/subnet
  5. private DNS Zone was automatically created (format - privatelink.blob.core.windows.net) within the current resource group (existing custom created private DNS zone was not visible under drop down) (FQDN -<storageaccount>.privatelink.blob.core.windows.net)

Thing is, we already have a private DNS zone - pvt.dns.zone which we wanted to use with the storage account private endpoint.

To accomplish this, we tried to create a "A" record in pvt.dns.zone with name as - <storageaccount>.privatelink.blob.core.windows.net, IP - (IP from the vnet range which was used whilst creating private endpoint for the storage account)

Although the "A" record creation is successful.
nslookup <storageaccount>.privatelink.blob.core.windows.net.pvt.dns.zone
errors out - Non-existent domain

Please suggest how can we implement below requirement and also if this implementation is even valid?

Use an existing private DNS zone for a private endpoint created for an Azure storage account.
To accomplish this requirement

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
772 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Silvia Wibowo 5,886 Reputation points Microsoft Employee Volunteer Moderator
    2025-06-02T20:09:37.8666667+00:00

    Hi @Khushaboo Shandilya , I understand you try to use custom Private DNS zone for your blob storage's private endpoint. When you create a private endpoint for your blob storage:

    • If there is existing Private DNS Zone with the name "privatelink.blob.core.windows.net" and it's linked to your virtual network where you created the private endpoint, it will create a new entry into that existing Private DNS Zone.
    • Otherwise, Azure will create a new Private DNS Zone with the name "privatelink.blob.core.windows.net" including the DNS record for your private endpoint.
    • Additionally, Azure adds a CNAME for Public DNS Zone: mapping mystorageaccount.blob.core.windows.net. to mystorageaccount.privatelink.blob.core.net. This means when you try to resolve your storage account public DNS name, it is translated to its privatelink FQDN. Then Private DNS Zone translates the privatelink FQDN to your private endpoint IP Address.

    Since you're using an existing Private DNS Zone that has a different domain name (pvt.dns.zone instead of privatelink.blob.core.windows.net), it is not recognized as a valid existing Private DNS Zone. Therefore, Azure created a new Private DNS Zone.

    You cannot use custom domain to replace your private endpoint's Private DNS Zone. You need to use the zone name listed in this table for Azure services: Azure Private Endpoint private DNS zone names.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.