Share via

Private Endpoint NSLookup Resolving to Public IP Instead of Private IP for AppConfiguration

Gafoor, Abdul 0 Reputation points
2025-02-11T05:52:04.5233333+00:00

I have set up a Private Endpoint for my Azure resource (AppConfiguration) and followed all the necessary steps as per the Microsoft documentation, including:

  1. Created a Private Endpoint.
  2. Configured a Private DNS Zone (privatelink.azconfig.io).
  3. Linked the Private DNS Zone to my Virtual Network (VNet).
  4. Added a DNS A record for the resource pointing to a private IP.
  5. Ensured the private IP is mapped correctly to the DNS record.
  6. Disabled Public Network Access for the resource.

Note: I don't want the VM because I am using AKS and I have my custom DNS zone how Can I configure this into my custom one.

Issue:

When I run nslookup from my PowerShell, the result still resolves to the public IP address instead of the private IP.

Troubleshooting Steps Taken:

  • Verified the Private DNS Zone Setup
    • Confirmed that privatelink.azconfig.io exists.
    • Ensured that the A record for my resource points to the private IP.
    Checked Private DNS Zone & VNet Link
    • Verified that my VNet is correctly linked to the private DNS zone.

Despite these configurations, nslookup continues to return the public IP instead of the expected private IP.

Question:

  • What additional checks or configurations should I perform to ensure nslookup resolves to the private IP?
  • Is there any caching issue that might be causing this behavior?
  • Do I need to configure my local machine’s DNS settings explicitly? Issue:
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
726 questions
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
749 questions
Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
248 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
534 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 425 Reputation points Microsoft Vendor
    2025-02-11T11:23:47.9633333+00:00

    Hello Gafoor, Abdul

    Greetings!

    • If you are using a custom DNS, you need to configure a forwarder pointing to the Azure DNS IP on the custom DNS server machine.
    • Additionally, if the custom DNS is hosted in a different VNET, you need to add the custom DNS virtual network in the private DNS zone.
    • If AKS is in a different VNET, you need to link this VNET in the private DNS zone as well.
    • If you are trying to connect from on-premises, you need to use a VPN. For connections inside Azure, you need a private DNS resolver.
    • Additionally, you must configure a conditional forwarder pointing to the private DNS resolver's inbound IP in your local machine's DNS server.

    Kindly check the below documents for more understanding:

    Doc 1: https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#category-2-if-you-are-using-a-custom-dns-in-source-virtual-network

    Doc 2: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    Doc 3: https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip

    Hope this helps!

    Please let me know if you have any questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.