Integrate private endpoint with Domain Name Service

What is Azure Private Link Service?

Private Link gives you private access from your Azure virtual network to PaaS services and Microsoft Partner services in Azure. But, what if your company has its own Azure services? Is it possible to offer those customers a private connection to your company's services?

Yes, by using Azure Private Link Service. This service lets you offer Private Link connections to your custom Azure services. Consumers of your custom services can then access those services privately—that is, without using the internet—from their own Azure virtual networks.

Azure Private Link service is the reference to your own service that is powered by Azure Private Link. Your service that is running behind Azure standard load balancer can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets. Your customers can create a private endpoint inside their VNet and map it to this service. A Private Link service receives connections from multiple private endpoints. A private endpoint connects to one Private Link service.

Private link and DNS integration for hub-spoke networks

The following diagram shows a typical high-level architecture for enterprise environments with central DNS resolution. The network architecture is hub-spoke network with Private Link resources and Azure Private DNS.

In the previous diagram, it's important to highlight:

1. All Azure virtual networks use the DNS private resolver that is hosted in the hub virtual network.
2. On-premises DNS servers have conditional forwarders configured for each private endpoint public DNS zone, pointing to the DNS private resolver hosted in the hub virtual network.
3. The DNS private resolver hosted in the hub virtual network uses the Azure-provided DNS (168.63.129.16) as a forwarder. IP address 168.63.129.16 is a virtual public IP address that facilitates a communication channel to Azure platform resources.
4. The hub virtual network must be linked to the Private DNS zone names for Azure services, such as privatelink.blob.core.windows.net, as shown in the diagram.

What is Azure DNS Private Resolver

Azure DNS Private Resolver enables you to query Azure DNS on-premises private zones without deploying VM based DNS servers. When you use DNS Private Resolver, you don't need a DNS forwarder, and Azure DNS is able to resolve on-premises ___domain names.