Clarity on multiple private endpoint creation for a service

Question

We use private DNS at scale concept which creates DNS records in a centrally managed place (private DNS zones). If I create a private DNS entry for storage account "abc", the policy will add a DNS record (eg. to

http://privatelink.blob.core.windows.net/

zone). So far so good.

If I add another private end point entry to the same storage account choosing the previous private DNS zone, it overwrites the DNS record with the IP of the second private endpoint resource. If I delete the second private DNS resource, it deletes the record and then the storage account is not reachable over the DNS entry left.

Answer 1

Hi Sandeep,

Kindly find the response to your query below -

• Existing Private DNS Zones linked to a single Azure service should not be associated with two different Azure service Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. Create a DNS zone for each Private Endpoint of like services. Don't place records for multiple services in the same DNS zone.
• This is a known behavior listed on the below page – https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns
• I tried to replicate this behavior in the lab environment and below is the observation
• Kindly notice when you create the new private endpoint for the same storage blob account you are clearly notified about that Existing Private DNS Zones tied to a single service should not be associated with two different Private Endpoints as it will not be possible to properly resolve two different A-Records that point to the same service. However, Private DNS Zones tied to multiple services would not face this resolution constraint.

• In spite of that if you proceed with the creation the DNS record gets modified with the new private endpoint ip address.

 
dig abcstorage123.blob.core.windows.net
<<<On just one-endpoint with ip 10.0.0.6 >>>>>
<<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> abcstorage123.blob.core.windows.net
;; QUESTION SECTION:
;abcstorage123.blob.core.windows.net. IN A
;; ANSWER SECTION:
abcstorage123.blob.core.windows.net. 60 IN CNAME abcstorage123.privatelink.blob.core.windows.net.
abcstorage123.privatelink.blob.core.windows.net. 10 IN A 10.0.0.6

<<<After adding second endpoint with ip 10.0.0.8 >>>>>

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> abcstorage123.blob.core.windows.net
;; QUESTION SECTION:
;abcstorage123.blob.core.windows.net. IN A
;; ANSWER SECTION:
abcstorage123.blob.core.windows.net. 60 IN CNAME abcstorage123.privatelink.blob.core.windows.net.
abcstorage123.privatelink.blob.core.windows.net. 10 IN A 10.0.0.8

• However, on removing the second endpoint the DNS record itself removed and previous one is not restored and this is recorded behavior

<<<<On removing the second endpoint DNS resolution fails>>>
dig abcstorage123.blob.core.windows.net
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> abcstorage123.blob.core.windows.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8816
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;abcstorage123.blob.core.windows.net. IN A
;; ANSWER SECTION:
abcstorage123.blob.core.windows.net. 60 IN CNAME abcstorage123.privatelink.blob.core.windows.net.
;; AUTHORITY SECTION:
privatelink.blob.core.windows.net. 10 IN SOA    azureprivatedns.net. azureprivatedns-host.microsoft.com. 1 3600 300 2419200 10

Hence the behavior is in expected lines.

---

If the below answer addressed your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

Ujjawal Tyagi