Why is DNS configuration critical for Private Endpoints?

When you create a Private Endpoint, clients must resolve the service's FQDN to the private IP address instead of the public IP. Without proper DNS configuration (typically via Azure Private DNS Zones), clients will continue resolving to the public endpoint, bypassing the Private Endpoint entirely.

What private DNS zone name does each service use?

Each Azure service has a specific private DNS zone name. For example, Azure SQL uses privatelink.database.windows.net, Blob Storage uses privatelink.blob.core.windows.net, and Key Vault uses privatelink.vaultcore.azure.net. The checker provides the correct zone name for each supported service.

How do Private Endpoints work in hub-and-spoke networks?

In hub-and-spoke topologies, private DNS zones are typically linked to the hub VNet where centralized DNS resolution occurs. Spoke VNets forward DNS queries to the hub (via Azure DNS Private Resolver or custom DNS), which resolves Private Endpoint addresses. This centralizes DNS management across all spokes.

Azure Private Endpoint Checker

NetworkingAzure

Check Private Endpoint DNS and networking requirements for Azure services.

Search Azure Services

20 services available

Raw JSON

Output will appear here...

About This Tool

The Azure Private Endpoint Checker validates DNS and networking requirements for Azure Private Endpoints across supported services. Private Endpoints bring Azure PaaS services into your VNet via a private IP address, but require specific DNS configuration to work correctly. This tool checks which DNS zones are needed, validates private DNS zone linkage, and ensures your configuration will resolve correctly.

When to Use This Tool

•Verifying that all required private DNS zones are created and linked before deploying a Private Endpoint for Azure SQL.
•Troubleshooting DNS resolution failures where clients resolve public IPs instead of private endpoint IPs.
•Planning private DNS zone architecture for hub-and-spoke VNet topologies with centralized DNS.
•Documenting Private Endpoint DNS requirements for compliance and architecture review documentation.

Frequently Asked Questions

Why is DNS configuration critical for Private Endpoints?: When you create a Private Endpoint, clients must resolve the service's FQDN to the private IP address instead of the public IP. Without proper DNS configuration (typically via Azure Private DNS Zones), clients will continue resolving to the public endpoint, bypassing the Private Endpoint entirely.
What private DNS zone name does each service use?: Each Azure service has a specific private DNS zone name. For example, Azure SQL uses privatelink.database.windows.net, Blob Storage uses privatelink.blob.core.windows.net, and Key Vault uses privatelink.vaultcore.azure.net. The checker provides the correct zone name for each supported service.
How do Private Endpoints work in hub-and-spoke networks?: In hub-and-spoke topologies, private DNS zones are typically linked to the hub VNet where centralized DNS resolution occurs. Spoke VNets forward DNS queries to the hub (via Azure DNS Private Resolver or custom DNS), which resolves Private Endpoint addresses. This centralizes DNS management across all spokes.

Related Learning Guides

Azure Networking Deep Dive30 min read
Virtual Network Architecture28 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.