Why do I need Azure DNS Private Resolver instead of custom DNS VMs?

Custom DNS VMs (like Windows DNS or BIND) require you to manage availability, patching, scaling, and configuration. Azure DNS Private Resolver is a fully managed service that provides 99.99% SLA, automatic scaling, and native integration with Azure Private DNS zones. It eliminates the operational overhead of running DNS infrastructure while supporting the same conditional forwarding scenarios. The resolver also integrates with Azure policies for centralized DNS governance.

How do inbound and outbound endpoints differ?

Inbound endpoints accept DNS queries from outside the VNet — typically from on-premises networks via VPN or ExpressRoute. They provide a static IP address in a delegated subnet that on-premises DNS servers can forward to. Outbound endpoints send DNS queries to external DNS servers based on forwarding rulesets. They handle queries from Azure resources that need to resolve names hosted by on-premises DNS servers or third-party DNS services.

Can I link forwarding rulesets to multiple VNets?

Yes, a single DNS forwarding ruleset can be linked to up to 10 VNets, and each VNet can be linked to up to 2 rulesets. This lets you define forwarding rules once and apply them across multiple VNets, which is particularly useful in hub-and-spoke topologies. Ruleset links are separate from VNet peering — the resolver uses the outbound endpoint subnet for connectivity, and forwarded traffic follows the outbound endpoint's VNet routing.

Azure Private DNS Resolver Builder

NetworkingAzure

Build Private DNS Resolver configurations with forwarding rulesets and endpoints.

Last verified: May 2026

Private DNS Resolver Configuration

Build Private DNS Resolver configurations with inbound/outbound endpoints and forwarding rulesets.

Required Fields

namelocationvirtualNetworkIdforwardingRulesets

{
  "name": "prod-dns-resolver",
  "location": "eastus",
  "virtualNetworkId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub",
  "inboundEndpoints": [
    {
      "name": "inbound-endpoint",
      "subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/snet-dns-inbound",
      "privateIpAddress": "10.0.4.4",
      "privateIpAllocationMethod": "Static"
    }
  ],
  "outboundEndpoints": [
    {
      "name": "outbound-endpoint",
      "subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/snet-dns-outbound"
    }
  ],
  "forwardingRulesets": [
    {
      "name": "onprem-forwarding-ruleset",
      "rules": [
        {
          "ruleName": "forward-corp-domain",
          "domainName": "corp.contoso.com.",
          "targetDnsServers": [
            { "ipAddress": "10.100.1.10", "port": 53 },
            { "ipAddress": "10.100.1.11", "port": 53 }
          ],
          "ruleState": "Enabled"
        }
      ]
    }
  ]
}

Generated Output

Output will appear here...

About This Tool

Azure DNS Private Resolver enables name resolution between on-premises networks, Azure private DNS zones, and forwarded external domains without deploying custom DNS servers. It consists of inbound endpoints (for on-premises to Azure resolution) and outbound endpoints (for Azure to on-premises resolution) with DNS forwarding rulesets that define which domains are forwarded to which DNS servers. Configuring the resolver requires specifying VNet integration, subnet delegation, endpoint IPs, and ruleset rules. This builder helps you assemble resolver configurations with correct subnet references, forwarding rules, and endpoint settings.

Real-World Scenario

Your team is rolling out a hub-and-spoke topology across 8 spoke VNets that all need to resolve on-prem AD names AND Azure private DNS zones. Without Private Resolver, you'd need 2x redundant Windows DNS VMs in the hub forwarding to on-prem — adding $300/month + patching/HA management. The builder generates a Private Resolver config: 1 inbound endpoint (for on-prem to Azure resolution) + 1 outbound endpoint (for Azure to on-prem) + 1 ruleset forwarding `corp.local` to on-prem AD DNS, linked to all 8 spoke VNets. Total cost ~$288/month, fully managed, no patching required.

When to Use This Tool

•Building an inbound endpoint configuration that allows on-premises servers to resolve Azure Private DNS zones via ExpressRoute or VPN
•Creating DNS forwarding rulesets that forward queries for on-premises Active Directory domains to corporate DNS servers
•Configuring outbound endpoints with conditional forwarding rules for hybrid DNS resolution across Azure and on-premises networks
•Generating resolver configurations for hub-and-spoke VNet topologies where the hub VNet hosts the DNS Private Resolver for all spoke VNets

Pro Tips

TIP

Azure DNS Private Resolver costs ~$0.20/hour per endpoint = ~$144/month per inbound or outbound endpoint. For most hub-and-spoke architectures with one inbound + one outbound endpoint, that's $288/month — dramatically cheaper than running 2x redundant Windows DNS VMs (~$300/month + ops time).

TIP

Inbound endpoint subnet MUST be delegated to Microsoft.Network/dnsResolvers and contain ONLY DNS resolver resources. Don't put VMs or other resources in that subnet. The delegation requirement is enforced strictly and trying to share the subnet with other resources fails confusingly.

TIP

When migrating from custom DNS VMs to Azure DNS Private Resolver, the cutover is the risky step. Test by adding the resolver as an additional DNS server first (so VMs can use either), validate resolution behavior, then remove the old DNS VMs. Skipping the parallel run almost always causes 30+ minutes of DNS-related outage.

How It Works Under the Hood

The builder constructs Azure DNS Private Resolver configurations: resolver resource (with VNet binding), inbound endpoints (subnet delegation, IP config), outbound endpoints (subnet delegation), forwarding rulesets (with rules for specific domain forwarding to target DNS servers), and ruleset-to-VNet links. Output is generated as az network dns-resolver commands and Terraform azurerm_private_dns_resolver* resources.

Frequently Asked Questions

Why do I need Azure DNS Private Resolver instead of custom DNS VMs?: Custom DNS VMs (like Windows DNS or BIND) require you to manage availability, patching, scaling, and configuration. Azure DNS Private Resolver is a fully managed service that provides 99.99% SLA, automatic scaling, and native integration with Azure Private DNS zones. It eliminates the operational overhead of running DNS infrastructure while supporting the same conditional forwarding scenarios. The resolver also integrates with Azure policies for centralized DNS governance.
How do inbound and outbound endpoints differ?: Inbound endpoints accept DNS queries from outside the VNet — typically from on-premises networks via VPN or ExpressRoute. They provide a static IP address in a delegated subnet that on-premises DNS servers can forward to. Outbound endpoints send DNS queries to external DNS servers based on forwarding rulesets. They handle queries from Azure resources that need to resolve names hosted by on-premises DNS servers or third-party DNS services.
Can I link forwarding rulesets to multiple VNets?: Yes, a single DNS forwarding ruleset can be linked to up to 10 VNets, and each VNet can be linked to up to 2 rulesets. This lets you define forwarding rules once and apply them across multiple VNets, which is particularly useful in hub-and-spoke topologies. Ruleset links are separate from VNet peering — the resolver uses the outbound endpoint subnet for connectivity, and forwarded traffic follows the outbound endpoint's VNet routing.

Related Learning Guides

Virtual Network Architecture28 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.