Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.
Existing Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.
The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.
You can use the following options to configure your DNS settings for private endpoints:
Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
Use a private DNS zone. You can use Private DNS Zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
Use Azure Private Resolver (optional). You can use Azure Private Resolver to override the DNS resolution for a private link resource. For more information about Azure Private Resolver, see What is Azure Private Resolver?.
Caution
It's not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service listed later in this article.
Existing Private DNS Zones linked to a single Azure service should not be associated with two different Azure service Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. Create a DNS zone for each Private Endpoint of like services. Don't place records for multiple services in the same DNS zone.
Azure services DNS zone configuration
Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.
Connection URLs for your existing applications don't change. Client DNS requests to a public DNS server resolve to your private endpoints. The process doesn't affect your existing applications.
Important
Azure File Shares must be remounted if connected to the public endpoint.
Caution
- Private networks using a Private DNS Zone for any given resource type (for example, privatelink.blob.core.chinacloudapi.cn/Storage Account) can only resolve DNS Queries to public resources/Public IPs if those public resources don't have any existing Private Endpoint Connections. If this applies, an additional DNS configuration is required on the Private DNS Zone to complete the DNS resolution sequence. Otherwise, the Private DNS Zone will respond to the DNS query with a NXDOMAIN as no matching DNS record would be found in the Private DNS Zone.
- Fallback to Internet for Private DNS Zone Virtual Network Links can be implemented for proper DNS Resolution for the Public IP of the public resource. This allows DNS queries that reach Private DNS Zones to be forwarded to Azure DNS for public resolution.
- Alternatively, a manually entered A-record in the Private DNS Zone that contains the Public IP of the public resource would allow for proper DNS resolution. This procedure isn't recommended as the Public IP of the A record in the Private DNS Zone won't be automatically updated if the corresponding public IP address changes for the public resource.
- Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the following tables.
For Azure services, use the recommended zone names as described in the following tables:
China
AI + Machine Learning
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.cn privatelink.notebooks.chinacloudapi.cn |
api.ml.azure.cn notebooks.chinacloudapi.cn instances.azureml.cn aznbcontent.net inference.ml.azure.cn |
Analytics
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.cn | datafactory.azure.cn |
| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.cn | adf.azure.cn |
| Azure HDInsight (Microsoft.HDInsight) | gateway headnode |
privatelink.azurehdinsight.cn | azurehdinsight.cn |
| Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.cn | {regionName}.kusto.windows.cn |
Compute
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.chinacloudapi.cn | {region}.batch.chinacloudapi.cn |
| Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.chinacloudapi.cn | {region}.service.batch.chinacloudapi.cn |
| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.cn | wvd.azure.cn |
| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces and Microsoft.DesktopVirtualization/hostpools) | feed connection |
privatelink.wvd.azure.cn | wvd.azure.cn |
Containers
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Databases
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.chinacloudapi.cn | database.chinacloudapi.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.cn | documents.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.cn | mongo.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.cn | cassandra.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.cn | gremlin.cosmos.azure.cn |
| Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.cn | table.cosmos.azure.cn |
| Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
| Azure Database for PostgreSQL - Flexible server (Microsoft.DBforPostgreSQL/flexibleServers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
| Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
| Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
| Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.chinacloudapi.cn | mariadb.database.chinacloudapi.cn |
| Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.chinacloudapi.cn | redis.cache.chinacloudapi.cn |
Hybrid + multicloud
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Integration
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
Internet of Things (IoT)
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.cn privatelink.servicebus.chinacloudapi.cn 1 |
azure-devices.cn servicebus.chinacloudapi.cn |
| Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.cn | azure-devices-provisioning.cn |
Media
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|
Management and Governance
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook DSCAndHybridWorker |
privatelink.azure-automation.cn | azure-automation.cn |
Security
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.cn | vaultcore.azure.cn |
Storage
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Storage account (Microsoft.Storage/storageAccounts) | blob blob_secondary |
privatelink.blob.core.chinacloudapi.cn | blob.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | table table_secondary |
privatelink.table.core.chinacloudapi.cn | table.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | queue queue_secondary |
privatelink.queue.core.chinacloudapi.cn | queue.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | file file_secondary |
privatelink.file.core.chinacloudapi.cn | file.core.chinacloudapi.cn |
| Storage account (Microsoft.Storage/storageAccounts) | web web_secondary |
privatelink.web.core.chinacloudapi.cn | web.core.chinacloudapi.cn |
| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs dfs_secondary |
privatelink.dfs.core.chinacloudapi.cn | dfs.core.chinacloudapi.cn |
| Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.cn | afs.azure.cn |
Web
| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
|---|---|---|---|
| Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
| Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
| Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.chinacloudsites.cn | chinacloudsites.cn |
| SignalR (Microsoft.SignalRService/SignalR) | signalR | privatelink.signalr.azure.cn | service.signalr.azure.cn |
1To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint
Next step
To learn more about DNS integration and scenarios for Azure Private Link, continue to the following article: