Azure Private Endpoint private DNS zone values
It's important to correctly configure your DNS settings to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.
Existing Microsoft Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.
The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.
You can use the following options to configure your DNS settings for private endpoints:
Use the host file (only recommended for testing). You can use the host file on a virtual machine to override the DNS.
Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.
Use Azure Private Resolver (optional). You can use Azure Private Resolver to override the DNS resolution for a private link resource. For more information about Azure Private Resolver, see What is Azure Private Resolver?.
Caution
It's not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service listed later in this article.
Existing Private DNS Zones linked to a single Azure service should not be associated with two different Azure service Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. Create a DNS zone for each Private Endpoint of like services. Don't place records for multiple services in the same DNS zone.
Azure services DNS zone configuration
Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.
Connection URLs for your existing applications don't change. Client DNS requests to a public DNS server resolve to your private endpoints. The process doesn't affect your existing applications.
Important
Azure File Shares must be remounted if connected to the public endpoint.
Caution
Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence. The corresponding DNS configuration is a manually entered A-record that points to the public IP address of the resource. This procedure isn't recommended as the IP address of the A record won't be automatically updated if the corresponding public IP address changes.
Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the following tables.
For Azure services, use the recommended zone names as described in the following tables:
Commercial
AI + Machine Learning
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.azureml.ms privatelink.notebooks.azure.net |
api.azureml.ms notebooks.azure.net instances.azureml.ms aznbcontent.net inference.ml.azure.com |
Azure AI services (Microsoft.CognitiveServices/accounts) | account | privatelink.cognitiveservices.azure.com privatelink.openai.azure.com |
cognitiveservices.azure.com openai.azure.com |
Azure Bot Service (Microsoft.BotService/botServices) | Bot | privatelink.directline.botframework.com | directline.botframework.com |
Azure Bot Service (Microsoft.BotService/botServices) | Token | privatelink.token.botframework.com | token.botframework.com |
Analytics
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Sql | privatelink.sql.azuresynapse.net | sql.azuresynapse.net |
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.net | sql.azuresynapse.net |
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Dev | privatelink.dev.azuresynapse.net | dev.azuresynapse.net |
Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) | Web | privatelink.azuresynapse.net | azuresynapse.net |
Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |
Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |
Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.net | datafactory.azure.net |
Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.com | adf.azure.com |
Azure HDInsight (Microsoft.HDInsight/clusters) | gateway headnode |
privatelink.azurehdinsight.net | azurehdinsight.net |
Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.net privatelink.blob.core.windows.net privatelink.queue.core.windows.net privatelink.table.core.windows.net |
{regionName}.kusto.windows.net blob.core.windows.net queue.core.windows.net table.core.windows.net |
Microsoft Power BI (Microsoft.PowerBI/privateLinkServicesForPowerBI) | tenant | privatelink.analysis.windows.net privatelink.pbidedicated.windows.net privatelink.tip1.powerquery.microsoft.com |
analysis.windows.net pbidedicated.windows.net tip1.powerquery.microsoft.com |
Azure Databricks (Microsoft.Databricks/workspaces) | databricks_ui_api browser_authentication |
privatelink.azuredatabricks.net | azuredatabricks.net |
Compute
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.azure.com | {regionName}.batch.azure.com |
Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.azure.com | {regionName}.service.batch.azure.com |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.microsoft.com | wvd.microsoft.com |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | feed | privatelink.wvd.microsoft.com | wvd.microsoft.com |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/hostpools) | connection | privatelink.wvd.microsoft.com | wvd.microsoft.com |
Containers
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) | management | privatelink.{regionName}.azmk8s.io {subzone}.privatelink.{regionName}.azmk8s.io |
{regionName}.azmk8s.io |
Azure Container Apps (Microsoft.App/ManagedEnvironments) | managedEnvironment | privatelink.{regionName}.azurecontainerapps.io | azurecontainerapps.io |
Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.io {regionName}.data.privatelink.azurecr.io |
azurecr.io {regionName}.data.azurecr.io |
Databases
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.windows.net | database.windows.net |
Azure SQL Managed Instance (Microsoft.Sql/managedInstances) | managedInstance | privatelink.{dnsPrefix}.database.windows.net | {instanceName}.{dnsPrefix}.database.windows.net |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.com | documents.azure.com |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.com | mongo.cosmos.azure.com |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.com | cassandra.cosmos.azure.com |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.com | gremlin.cosmos.azure.com |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.com | table.cosmos.azure.com |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Analytical | privatelink.analytics.cosmos.azure.com | analytics.cosmos.azure.com |
Azure Cosmos DB (Microsoft.DBforPostgreSQL/serverGroupsv2) | coordinator | privatelink.postgres.cosmos.azure.com | postgres.cosmos.azure.com |
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.azure.com | postgres.database.azure.com |
Azure Database for PostgreSQL - Flexible server (Microsoft.DBforPostgreSQL/flexibleServers) | postgresqlServer | privatelink.postgres.database.azure.com | postgres.database.azure.com |
Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.azure.com | mysql.database.azure.com |
Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.azure.com | mysql.database.azure.com |
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.azure.com | mariadb.database.azure.com |
Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.windows.net | redis.cache.windows.net |
Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) | redisEnterprise | privatelink.redisenterprise.cache.azure.net | redisenterprise.cache.azure.net |
Hybrid + multicloud
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Arc (Microsoft.HybridCompute/privateLinkScopes) | hybridcompute | privatelink.his.arc.azure.com privatelink.guestconfiguration.azure.com privatelink.dp.kubernetesconfiguration.azure.com |
his.arc.azure.com guestconfiguration.azure.com dp.kubernetesconfiguration.azure.com |
Integration
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |
Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.net | eventgrid.azure.net |
Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.net | eventgrid.azure.net |
Azure Event Grid (Microsoft.EventGrid/namespaces) | topic | privatelink.eventgrid.azure.net | eventgrid.azure.net |
Azure Event Grid (Microsoft.EventGrid/namespaces/topicSpace) | topicSpace | privatelink.ts.eventgrid.azure.net | eventgrid.azure.net |
Azure Event Grid (Microsoft.EventGrid/partnerNamespaces) | partnernamespace | privatelink.eventgrid.azure.net | eventgrid.azure.net |
Azure API Management (Microsoft.ApiManagement/service) | Gateway | privatelink.azure-api.net | azure-api.net |
Azure Health Data Services (Microsoft.HealthcareApis/workspaces) | healthcareworkspace | privatelink.workspace.azurehealthcareapis.com privatelink.fhir.azurehealthcareapis.com privatelink.dicom.azurehealthcareapis.com |
workspace.azurehealthcareapis.com fhir.azurehealthcareapis.com dicom.azurehealthcareapis.com |
Internet of Things (IoT)
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.net privatelink.servicebus.windows.net1 |
azure-devices.net servicebus.windows.net |
Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.net | azure-devices-provisioning.net |
Device Update for IoT Hubs (Microsoft.DeviceUpdate/accounts) | DeviceUpdate | privatelink.api.adu.microsoft.com | api.adu.microsoft.com |
Azure IoT Central (Microsoft.IoTCentral/IoTApps) | iotApp | privatelink.azureiotcentral.com | azureiotcentral.com |
Azure Digital Twins (Microsoft.DigitalTwins/digitalTwinsInstances) | API | privatelink.digitaltwins.azure.net | digitaltwins.azure.net |
Media
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Media Services (Microsoft.Media/mediaservices) | keydelivery liveevent streamingendpoint |
privatelink.media.azure.net | media.azure.net |
Management and Governance
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Automation (Microsoft.Automation/automationAccounts) | Webhook DSCAndHybridWorker |
privatelink.azure-automation.net | {regionCode}.azure-automation.net |
Azure Backup (Microsoft.RecoveryServices/vaults) | AzureBackup | privatelink.{regionCode}.backup.windowsazure.com | {regionCode}.backup.windowsazure.com |
Azure Site Recovery (Microsoft.RecoveryServices/vaults) | AzureSiteRecovery | privatelink.siterecovery.windowsazure.com | {regionCode}.siterecovery.windowsazure.com |
Azure Monitor (Microsoft.Insights/privateLinkScopes) | azuremonitor | privatelink.monitor.azure.com privatelink.oms.opinsights.azure.com privatelink.ods.opinsights.azure.com privatelink.agentsvc.azure-automation.net privatelink.blob.core.windows.net |
monitor.azure.com oms.opinsights.azure.com ods.opinsights.azure.com agentsvc.azure-automation.net blob.core.windows.net services.visualstudio.com applicationinsights.azure.com |
Microsoft Purview (Microsoft.Purview/accounts) | account | privatelink.purview.azure.com | purview.azure.com |
Microsoft Purview (Microsoft.Purview/accounts) | portal | privatelink.purviewstudio.azure.com | purviewstudio.azure.com |
Azure Migrate (Microsoft.Migrate/migrateProjects) | Default | privatelink.prod.migration.windowsazure.com | prod.migration.windowsazure.com |
Azure Migrate (Microsoft.Migrate/assessmentProjects) | Default | privatelink.prod.migration.windowsazure.com | prod.migration.windowsazure.com |
Azure Resource Manager (Microsoft.Authorization/resourceManagementPrivateLinks) | ResourceManagement | privatelink.azure.com | azure.com |
Azure Managed Grafana (Microsoft.Dashboard/grafana) | grafana | privatelink.grafana.azure.com | grafana.azure.com |
Security
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.net | vault.azure.net vaultcore.azure.net |
Azure Key Vault (Microsoft.KeyVault/managedHSMs) | managedhsm | privatelink.managedhsm.azure.net | managedhsm.azure.net |
Azure App Configuration (Microsoft.AppConfiguration/configurationStores) | configurationStores | privatelink.azconfig.io | azconfig.io |
Azure Attestation (Microsoft.Attestation/attestationProviders) | standard | privatelink.attest.azure.net | attest.azure.net |
Storage
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Storage account (Microsoft.Storage/storageAccounts) | blob blob_secondary |
privatelink.blob.core.windows.net | blob.core.windows.net |
Storage account (Microsoft.Storage/storageAccounts) | table table_secondary |
privatelink.table.core.windows.net | table.core.windows.net |
Storage account (Microsoft.Storage/storageAccounts) | queue queue_secondary |
privatelink.queue.core.windows.net | queue.core.windows.net |
Storage account (Microsoft.Storage/storageAccounts) | file | privatelink.file.core.windows.net | file.core.windows.net |
Storage account (Microsoft.Storage/storageAccounts) | web web_secondary |
privatelink.web.core.windows.net | web.core.windows.net |
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs dfs_secondary |
privatelink.dfs.core.windows.net | dfs.core.windows.net |
Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.net | afs.azure.net |
Azure Managed Disks (Microsoft.Compute/diskAccesses) | disks | privatelink.blob.core.windows.net | blob.core.windows.net |
Web
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Search (Microsoft.Search/searchServices) | searchService | privatelink.search.windows.net | search.windows.net |
Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |
Azure Web Apps - Azure Function Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.net scm.privatelink.azurewebsites.net2</sup |
azurewebsites.net scm.azurewebsites.net |
SignalR (Microsoft.SignalRService/SignalR) | signalr | privatelink.service.signalr.net | service.signalr.net |
Azure Static Web Apps (Microsoft.Web/staticSites) | staticSites | privatelink.azurestaticapps.net privatelink.{partitionId}.azurestaticapps.net |
azurestaticapps.net {partitionId}.azurestaticapps.net |
Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |
1To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint
2In scenarios where the Kudu console or Kudu REST API is used, you must create two DNS records pointing to the private endpoint IP in your Azure DNS private zone or custom DNS server. The first record is for your app, and the second record is for the SCM (Source Control Management) of your app.
Note
In the above text, {regionCode}
refers to the region code (for example, eus for East US and ne for North Europe). Refer to the following lists for regions codes:
{regionName}
refers to the full region name (for example, eastus for East US and northeurope for North Europe). To retrieve a current list of Azure regions and their names and display names, use az account list-locations -o table
.
Government
AI + Machine Learning
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure AI services (Microsoft.CognitiveServices/accounts) | account | privatelink.cognitiveservices.azure.us | cognitiveservices.azure.us |
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.us privatelink.notebooks.usgovcloudapi.net |
api.ml.azure.us notebooks.usgovcloudapi.net instances.azureml.us aznbcontent.net inference.ml.azure.us |
Analytics
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net |
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Sql | privatelink.sql.azuresynapse.usgovcloudapi.net | sql.azuresynapse.usgovcloudapi.net |
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.usgovcloudapi.net | {workspaceName}-ondemand.sql.azuresynapse.usgovcloudapi.net |
Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Dev | privatelink.dev.azuresynapse.usgovcloudapi.net | dev.azuresynapse.usgovcloudapi.net |
Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) | Web | privatelink.azuresynapse.usgovcloudapi.net | azuresynapse.usgovcloudapi.net |
Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.us | datafactory.azure.us |
Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.us | adf.azure.us |
Azure HDInsight (Microsoft.HDInsight) | gateway headnode |
privatelink.azurehdinsight.us | azurehdinsight.us |
Azure Databricks (Microsoft.Databricks/workspaces) | databricks_ui_api browser_authentication |
privatelink.databricks.azure.us | databricks.azure.us |
Compute
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.usgovcloudapi.net | {regionName}.batch.usgovcloudapi.net |
Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.usgovcloudapi.net | {regionName}.service.batch.usgovcloudapi.net |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.us | wvd.azure.us |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces Microsoft.DesktopVirtualization/hostpools) |
feed connection |
privatelink.wvd.azure.us | wvd.azure.us |
Containers
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.us {regionName}.privatelink.azurecr.us |
azurecr.us {regionName}.azurecr.us |
Databases
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.usgovcloudapi.net | database.usgovcloudapi.net |
Azure SQL Managed Instance (Microsoft.Sql/managedInstances) | managedInstance | privatelink.{dnsPrefix}.database.usgovcloudapi.net | {instanceName}.{dnsPrefix}.database.usgovcloudapi.net |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.us | documents.azure.us |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.us | mongo.cosmos.azure.us |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.us | cassandra.cosmos.azure.us |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.us | gremlin.cosmos.azure.us |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.us | table.cosmos.azure.us |
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.usgovcloudapi.net | postgres.database.usgovcloudapi.net |
Azure Database for PostgreSQL - Flexible server (Microsoft.DBforPostgreSQL/flexibleServers) | postgresqlServer | privatelink.postgres.database.usgovcloudapi.net | postgres.database.usgovcloudapi.net |
Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.usgovcloudapi.net | mysql.database.usgovcloudapi.net |
Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.usgovcloudapi.net | mysql.database.usgovcloudapi.net |
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.usgovcloudapi.net | mariadb.database.usgovcloudapi.net |
Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.usgovcloudapi.net | redis.cache.usgovcloudapi.net |
Hybrid + multicloud
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|
Integration
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net |
Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.us | eventgrid.azure.us |
Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.us | eventgrid.azure.us |
Azure Health Data Services (Microsoft.HealthcareApis/workspaces) | healthcareworkspace | privatelink.workspace.azurehealthcareapis.us privatelink.fhir.azurehealthcareapis.us privatelink.dicom.azurehealthcareapis.us |
workspace.azurehealthcareapis.us fhir.azurehealthcareapis.us dicom.azurehealthcareapis.us |
Internet of Things (IoT)
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.us privatelink.servicebus.windows.us1 |
azure-devices.us servicebus.usgovcloudapi.net |
Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.us | azure-devices-provisioning.us |
Media
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|
Management and Governance
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook DSCAndHybridWorker |
privatelink.azure-automation.us | azure-automation.us |
Azure Backup (Microsoft.RecoveryServices/vaults) | AzureBackup | privatelink.{regionCode}.backup.windowsazure.us | {regionCode}.backup.windowsazure.us |
Azure Site Recovery (Microsoft.RecoveryServices/vaults) | AzureSiteRecovery | privatelink.siterecovery.windowsazure.us | {regionCode}.siterecovery.windowsazure.us |
Azure Monitor (Microsoft.Insights/privateLinkScopes) | azuremonitor | privatelink.monitor.azure.us privatelink.adx.monitor.azure.us privatelink.oms.opinsights.azure.us privatelink.ods.opinsights.azure.us privatelink.agentsvc.azure-automation.us privatelink.blob.core.usgovcloudapi.net |
monitor.azure.us adx.monitor.azure.us oms.opinsights.azure.us ods.opinsights.azure.us agentsvc.azure-automation.us blob.core.usgovcloudapi.net |
Microsoft Purview (Microsoft.Purview) | account | privatelink.purview.azure.us | purview.azure.us |
Microsoft Purview (Microsoft.Purview) | portal | privatelink.purviewstudio.azure.us | purview.azure.com purviewstudio.azure.us |
Security
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.usgovcloudapi.net | vault.usgovcloudapi.net vaultcore.usgovcloudapi.net |
Azure App Configuration (Microsoft.AppConfiguration/configurationStores) | configurationStores | privatelink.azconfig.azure.us | azconfig.azure.us |
Storage
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Storage account (Microsoft.Storage/storageAccounts) | blob blob_secondary |
privatelink.blob.core.usgovcloudapi.net | blob.core.usgovcloudapi.net |
Storage account (Microsoft.Storage/storageAccounts) | table table_secondary |
privatelink.table.core.usgovcloudapi.net | table.core.usgovcloudapi.net |
Storage account (Microsoft.Storage/storageAccounts) | queue queue_secondary |
privatelink.queue.core.usgovcloudapi.net | queue.core.usgovcloudapi.net |
Storage account (Microsoft.Storage/storageAccounts) | file file_secondary |
privatelink.file.core.usgovcloudapi.net | file.core.usgovcloudapi.net |
Storage account (Microsoft.Storage/storageAccounts) | web web_secondary |
privatelink.web.core.usgovcloudapi.net | web.core.usgovcloudapi.net |
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs dfs_secondary |
privatelink.dfs.core.usgovcloudapi.net | dfs.core.usgovcloudapi.net |
Web
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Search (Microsoft.Search/searchServices) | searchService | privatelink.search.azure.us | search.azure.us |
Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net |
Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.us scm.privatelink.azurewebsites.us2 |
azurewebsites.us scm.azurewebsites.us |
Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net |
2In scenarios where the Kudu console or Kudu REST API is used, you must create two DNS records pointing to the private endpoint IP in your Azure DNS private zone or custom DNS server. The first record is for your app, and the second record is for the SCM (Source Control Management) of your app.
Note
In the above text, {regionCode}
refers to the region code (for example, eus for East US and ne for North Europe). Refer to the following lists for regions codes:
{regionName}
refers to the full region name (for example, eastus for East US and northeurope for North Europe). To retrieve a current list of Azure regions and their names and display names, use az account list-locations -o table
.
China
AI + Machine Learning
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.cn privatelink.notebooks.chinacloudapi.cn |
api.ml.azure.cn notebooks.chinacloudapi.cn instances.azureml.cn aznbcontent.net inference.ml.azure.cn |
Analytics
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.cn | datafactory.azure.cn |
Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.cn | adf.azure.cn |
Azure HDInsight (Microsoft.HDInsight) | gateway headnode |
privatelink.azurehdinsight.cn | azurehdinsight.cn |
Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.cn | {regionName}.kusto.windows.cn |
Compute
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.chinacloudapi.cn | {region}.batch.chinacloudapi.cn |
Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.chinacloudapi.cn | {region}.service.batch.chinacloudapi.cn |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.cn | wvd.azure.cn |
Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces and Microsoft.DesktopVirtualization/hostpools) | feed connection |
privatelink.wvd.azure.cn | wvd.azure.cn |
Containers
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|
Databases
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.chinacloudapi.cn | database.chinacloudapi.cn |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Sql | privatelink.documents.azure.cn | documents.azure.cn |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.cn | mongo.cosmos.azure.cn |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.cn | cassandra.cosmos.azure.cn |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.cn | gremlin.cosmos.azure.cn |
Azure Cosmos DB (Microsoft.DocumentDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.cn | table.cosmos.azure.cn |
Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
Azure Database for PostgreSQL - Flexible server (Microsoft.DBforPostgreSQL/flexibleServers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |
Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |
Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.chinacloudapi.cn | mariadb.database.chinacloudapi.cn |
Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.chinacloudapi.cn | redis.cache.chinacloudapi.cn |
Hybrid + multicloud
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|
Integration
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
Internet of Things (IoT)
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.cn privatelink.servicebus.chinacloudapi.cn 1 |
azure-devices.cn servicebus.chinacloudapi.cn |
Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.cn | azure-devices-provisioning.cn |
Media
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|
Management and Governance
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook DSCAndHybridWorker |
privatelink.azure-automation.cn | azure-automation.cn |
Security
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.cn | vaultcore.azure.cn |
Storage
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Storage account (Microsoft.Storage/storageAccounts) | blob blob_secondary |
privatelink.blob.core.chinacloudapi.cn | blob.core.chinacloudapi.cn |
Storage account (Microsoft.Storage/storageAccounts) | table table_secondary |
privatelink.table.core.chinacloudapi.cn | table.core.chinacloudapi.cn |
Storage account (Microsoft.Storage/storageAccounts) | queue queue_secondary |
privatelink.queue.core.chinacloudapi.cn | queue.core.chinacloudapi.cn |
Storage account (Microsoft.Storage/storageAccounts) | file file_secondary |
privatelink.file.core.chinacloudapi.cn | file.core.chinacloudapi.cn |
Storage account (Microsoft.Storage/storageAccounts) | web web_secondary |
privatelink.web.core.chinacloudapi.cn | web.core.chinacloudapi.cn |
Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs dfs_secondary |
privatelink.dfs.core.chinacloudapi.cn | dfs.core.chinacloudapi.cn |
Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.cn | afs.azure.cn |
Web
Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |
---|---|---|---|
Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |
Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.chinacloudsites.cn | chinacloudsites.cn |
SignalR (Microsoft.SignalRService/SignalR) | signalR | privatelink.signalr.azure.cn | service.signalr.azure.cn |
1To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see private link support for IoT Hub's built-in endpoint
Next step
To learn more about DNS integration and scenarios for Azure Private Link, continue to the following article: