Check Private Endpoint DNS and networking requirements for Azure services.
Last verified: May 2026
Output will appear here...The Azure Private Endpoint Checker validates DNS and networking requirements for Azure Private Endpoints across supported services. Private Endpoints bring Azure PaaS services into your VNet via a private IP address, but require specific DNS configuration to work correctly. This tool checks which DNS zones are needed, validates private DNS zone linkage, and ensures your configuration will resolve correctly.
When you create a Private Endpoint, clients must resolve the service's FQDN to the private IP address instead of the public IP. Without proper DNS configuration (typically via Azure Private DNS Zones), clients will continue resolving to the public endpoint, bypassing the Private Endpoint entirely.
Each Azure service has a specific private DNS zone name. For example, Azure SQL uses privatelink.database.windows.net, Blob Storage uses privatelink.blob.core.windows.net, and Key Vault uses privatelink.vaultcore.azure.net. The checker provides the correct zone name for each supported service.
In hub-and-spoke topologies, private DNS zones are typically linked to the hub VNet where centralized DNS resolution occurs. Spoke VNets forward DNS queries to the hub (via Azure DNS Private Resolver or custom DNS), which resolves Private Endpoint addresses. This centralizes DNS management across all spokes.
Your team migrated Azure SQL to Private Endpoint last week, and the application has been intermittently slow ever since. You run nslookup from an app VM and see the public IP being returned — but only sometimes. The checker reveals the privatelink.database.windows.net zone is linked to spoke-1 but not spoke-2, and your app VMs are split across both spokes. You add the missing VNet link, restart the affected VMs to flush DNS cache, and latency returns to normal.
The checker maintains a per-service mapping of required private DNS zones (e.g., Azure SQL → privatelink.database.windows.net, Storage Blob → privatelink.blob.core.windows.net) and runs your input through a checklist: zone exists, zone is linked to the client VNet, A record points to the private endpoint NIC IP, and (for hub-and-spoke) custom DNS forwarders are configured correctly. Each failure case includes a remediation snippet.
The most common Private Endpoint failure mode is forgetting to link the privatelink.* DNS zone to the VNet where clients live. The endpoint creates fine, the private IP is reachable, but clients still resolve the public IP because no DNS magic is happening. Always verify VNet-to-zone linkage as the first troubleshooting step.
Do NOT create the privatelink.* zone manually if you've already enabled the Private Endpoint with auto-DNS integration — Azure creates an A record automatically, and a manually-created zone with conflicting records will silently shadow the correct one. Pick one approach (Azure-managed or self-managed) and stick to it per zone.
In hub-and-spoke with custom DNS, your forwarder must conditionally forward the privatelink.* zones to 168.63.129.16 (Azure's internal DNS) — not your on-prem DNS. Misconfiguration here means cross-VNet clients resolve the public IP and ignore your Private Endpoint entirely.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.