Azure Private Endpoint private DNS zone values
It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.
Existing Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.
The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.
You can use the following options to configure your DNS settings for private endpoints:
Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
Use Azure Private Resolver (optional). You can use Azure Private Resolver to override the DNS resolution for a private link resource. For more information about Azure Private Resolver, see What is Azure Private Resolver?.
Caution
It's not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service listed later in this article.
Existing Private DNS Zones linked to a single Azure service should not be associated with two different Azure service Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. Create a DNS zone for each Private Endpoint of like services. Don't place records for multiple services in the same DNS zone.
Azure services DNS zone configuration
Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.
Connection URLs for your existing applications don't change. Client DNS requests to a public DNS server resolve to your private endpoints. The process doesn't affect your existing applications.
Important
Azure File Shares must be remounted if connected to the public endpoint.
Caution
Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence. The corresponding DNS configuration is a manually entered A-record that points to the public IP address of the resource. This procedure isn't recommended as the IP address of the A record won't be automatically updated if the corresponding public IP address changes.
Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the following tables.
For Azure services, use the recommended zone names as described in the following tables:
China
AI + Machine Learning
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.cn privatelink.notebooks.chinacloudapi.cn |
api.ml.azure.cn notebooks.chinacloudapi.cn instances.azureml.cn aznbcontent.net inference.ml.azure.cn |
Analytics
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.cn | datafactory.azure.cn |
| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.cn | adf.azure.cn |
| Azure HDInsight (Microsoft.HDInsight) | N/A | privatelink.azurehdinsight.cn | azurehdinsight.cn |
| Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.cn | {regionName}.kusto.windows.cn |
Compute
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.chinacloudapi.cn | {region}.batch.chinacloudapi.cn |
| Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.chinacloudapi.cn | {region}.service.batch.chinacloudapi.cn |
| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.cn | wvd.azure.cn |
| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces and Microsoft.DesktopVirtualization/hostpools) | feed connection |
privatelink.wvd.azure.cn | wvd.azure.cn |
Containers
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Databases
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.chinacloudapi.cn | database.chinacloudapi.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.cn | documents.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.cn | mongo.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.cn | cassandra.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.cn | gremlin.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.cn | table.cosmos.azure.cn |
| Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
| Azure Database for PostgreSQL - Flexible server (Microsoft.DBforPostgreSQL/flexibleServers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
| Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
| Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
| Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.chinacloudapi.cn | mariadb.database.chinacloudapi.cn |
| Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.chinacloudapi.cn | redis.cache.chinacloudapi.cn |
Hybrid + multicloud
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Integration
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
Internet of Things (IoT)
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.cn privatelink.servicebus.chinacloudapi.cn 1 |
azure-devices.cn servicebus.chinacloudapi.cn |
| Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.cn | azure-devices-provisioning.cn |
Media
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Management and Governance
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook DSCAndHybridWorker |
privatelink.azure-automation.cn | azure-automation.cn |
Security
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.cn | vaultcore.azure.cn |
Storage
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Storage account (Microsoft.Storage/storageAccounts) | blob blob_secondary |
privatelink.blob.core.chinacloudapi.cn | blob.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | table table_secondary |
privatelink.table.core.chinacloudapi.cn | table.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | queue queue_secondary |
privatelink.queue.core.chinacloudapi.cn | queue.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | file file_secondary |
privatelink.file.core.chinacloudapi.cn | file.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | web web_secondary |
privatelink.web.core.chinacloudapi.cn | web.core.chinacloudapi.cn |
| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs dfs_secondary |
privatelink.dfs.core.chinacloudapi.cn | dfs.core.chinacloudapi.cn |
| Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.cn | afs.azure.cn |
Web
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
| Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
| Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.chinacloudsites.cn | chinacloudsites.cn |
| SignalR (Microsoft.SignalRService/SignalR) | signalR | privatelink.signalr.azure.cn | service.signalr.azure.cn |
1To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint
Next step
To learn more about DNS integration and scenarios for Azure Private Link, continue to the following article: