How to define private dns zoneid referencing to another subscription / resource group in bicep template?

Question

I have problem defining private dns zonegroup resource in my bicep module. Deployment fails with the error indicating that resourceid for the private dns zone existing in another subscription / resource group than current deployment scope is invalid.

What could be the problem? My bicep template / module is shown below:

param privateEndpointResourceName  string
param privateDnsZoneName           string
param privateDnsZoneSubscriptionId string
param privateDnsZoneResourceGroup  string
param privateDnsZoneGroupName      string


resource pe 'Microsoft.Network/privateEndpoints@2023-04-01' existing = {
  name:  privateEndpointResourceName
}

resource privateDnsZone 'Microsoft.Network/privateDnsZones@2024-06-01' existing = {
  name: privateDnsZoneName
  scope: resourceGroup(privateDnsZoneSubscriptionId, privateDnsZoneResourceGroup)
}


resource privateEndpointResourceDnsZoneRecord 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-05-01' = {
  parent: pe
  name: privateDnsZoneGroupName
  properties: {
    privateDnsZoneConfigs: [
      {
        name: privateDnsZoneGroupName
        properties: {
          privateDnsZoneId: privateDnsZone.id
          
        }
      }
    ]
  }
}

Answer 1

Hi @ Asko Kauppinen

Since you've already found the fix for your requirement, I'm posting the solution for the community's benefit.

The issue you are facing is due to a typo caused by Bicep's string interpolation behavior.

privateDnsZoneName: 'privatelink.${environment().suffixes.sqlServerHostname}'

To resolve the issue, remove the dot (.) inside the interpolation brackets. Bicep interprets it as property access rather than a string. Instead, access sqlServerHostname within suffixes using the environment() function. For more details, refer to Deployment functions for Bicep.

privateDnsZoneName: 'privatelink${environment().suffixes.sqlServerHostname}'

Here is the updated code with the correct format for privateDnsZoneName

    module sub_pe_dns_record './networking/module_privatednszone_record.bicep' = if (deployPepSql) {

      name: 'deployPeZoneDnsRecord'

      params: {

        privateDnsZoneName: 'privatelink${environment().suffixes.sqlServerHostname}'

        privateEndpointResourceName:  sub_pe_azure_sql.outputs.privateEndpointName

        privateDnsZoneSubscriptionId: networkingSubsId

        privateDnsZoneResourceGroup:  networkingRG

        privateDnsZoneGroupName:      'default'

        privateDnsZoneGroupConfigName: 'privatelink_database_windows_net'

      }

    }

Reference: Scope to subscription in bicep

I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.

Answer 2

Hello Asko Kauppinen,

You need to include the complete resource Id of the private dns zone, The option that I can suggest is creating a variable with the complete resource ID:

param privateEndpointResourceName  string
param privateDnsZoneName           string
param privateDnsZoneSubscriptionId string
param privateDnsZoneResourceGroup  string
param privateDnsZoneGroupName      string

var privateDnsZoneId = resourceId(privateDnsZoneSubscriptionId, privateDnsZoneResourceGroup, 'Microsoft.Network/privateDnsZones', privateDnsZoneName)

resource pe 'Microsoft.Network/privateEndpoints@2023-04-01' existing = {
  name:  privateEndpointResourceName
}

resource privateEndpointResourceDnsZoneRecord 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2024-05-01' = {
  parent: pe
  name: privateDnsZoneGroupName
  properties: {
    privateDnsZoneConfigs: [
      {
        name: privateDnsZoneGroupName
        properties: {
          privateDnsZoneId: privateDnsZoneId
        }
      }
    ]
  }
}

Let me know if this solve your problem.

Cheers,

Luis