Good day, I got a couple of setups looking like this: An Application Gateway ( WAF V2 or Standard V2 ) is placed in a VNET configured with custom DNS servers (They were restarted after the last change in this DNS servers list, so they are updated). These custom DNS servers are used to resolve addresses of Private Endpoints - for App Services and for static websites on Storage Accounts - and they resolve them successfully: appservicename.azurewebsites.net ==> appservicename.privatelink.azurewebsites.net ==> private IP staticsitename.z6.web.core.windows.net ==> staticsitename.privatelink.web.core.windows.net ==> private IP Private Endpoints of both these types are defined as backend pools of Application Gateways. The Application Gateways work perfectly well with Private Endpoints of App Services. If I capture traffic on the DNS servers, I can see queries for these App Services names sent after the App Gateways are started. These names are resolved, health probes succeed and traffic is forwarded to these App Services. All's fine. However , the App Gateways don't even try to resolve names of Private Endpoints of Storage Accounts (for blob service or for static website service). I don't see any queries about their names arriving to our custom DNS servers. These names are resolved to their public IPs, and App Gateways reach these backends via another route - by Service Endpoints. So the App Gateways' subnet must be listed as allowed at the Firewalls and virtual networks page of these Storage Accounts, otherwise the health probes fail with error 404 (Private Endpoints shouldn't be affected by these settings). I made an experiment: a.) defined a Private DNS Zone for these Private Endpoints privatelink.web.core.windows.net and added to it relevant records resolving to private IPs; b.) bound it to the VNET where an Application Gateway resides; c.) stopped & started the Application Gateway; Only after that the App Gateway resolved the staticsitename.z6.web.core.windows.net record to its Private Endpoint IP and was able to reach the Storage Account regardless of its Firewalls and virtual networks page settings. So as I understand: Application Gateway uses custom DNS servers assigned to its VNET to resolve most of its backend servers FQDNs. However, for some of them (like Storage Accounts names under the windows.net domain) it uses the Azure built-in DNS service ( 168.63.129.16 ), ignoring custom DNS. So the only way to make an App Gateway resolve correctly addresses of Private Endpoints for Storage Accounts (and possibly other PaaS resources) is to attach a Private DNS Zone to its VNET, making the built-in Azure DNS service to read records from this Zone. I didn't find anything like this in documentation . Questions: Is this correct? If it is, what's the logic behind this way of splitting DNS queries? Is there any way to disable it? Thanks, Mucius.

@Cat Mucius Your observations are correct; we pin a subset of FQDNs to always utilize Azure DNS (168.63.129.16 address). This is as per design due to Azure's internal architecture. As a workaround, customers can associate the privatelink DNS zone to the virtual network, regardless if they are utilizing custom DNS servers on the Vnet or not. This experience will be improved in an upcoming feature, targeted for the back half of this year. Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you! Remember: Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how . Want a reminder to come back and check responses? Here is how to subscribe to a notification.

@Cat Mucius Whether it is App Service or Storage, private endpoint name resolution for Private Link resources can be done via Azure Private DNS or your DNS forwarder that forwards DNS queries to the recursive resolvers in Azure provided via the virtual IP 168.63.129.16 . Please go through some of the best practices provided in the below link https://zcusa.951200.xyz/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures You can create private dns zones for the private link resources. The DNS Server Vnet can be linked to the private DNS Zones. The DNS servers use the Azure-provided DNS resolver (168.63.129.16) as a forwarder. All workload VNets can use the DNS servers hosted as the primary and secondary DNS servers.

Also do not forget to enable NETWORK POLICY FOR PRIVATE ENDPOINTS. Even if you have dns resolution working, Without the network policy, route tables to private endpoints are ignored.

Azure Application Gateways do not resolve Private Endpoints of storage accounts via custom DNS servers

Cat Mucius 91

Good day,

I got a couple of setups looking like this:

An Application Gateway ( WAF V2 or Standard V2) is placed in a VNET configured with custom DNS servers (They were restarted after the last change in this DNS servers list, so they are updated).
These custom DNS servers are used to resolve addresses of Private Endpoints - for App Services and for static websites on Storage Accounts - and they resolve them successfully:
appservicename.azurewebsites.net ==> appservicename.privatelink.azurewebsites.net ==> private IP
staticsitename.z6.web.core.windows.net ==> staticsitename.privatelink.web.core.windows.net ==> private IP
Private Endpoints of both these types are defined as backend pools of Application Gateways.
The Application Gateways work perfectly well with Private Endpoints of App Services. If I capture traffic on the DNS servers, I can see queries for these App Services names sent after the App Gateways are started. These names are resolved, health probes succeed and traffic is forwarded to these App Services. All's fine.
However, the App Gateways don't even try to resolve names of Private Endpoints of Storage Accounts (for blob service or for static website service). I don't see any queries about their names arriving to our custom DNS servers. These names are resolved to their public IPs, and App Gateways reach these backends via another route - by Service Endpoints. So the App Gateways' subnet must be listed as allowed at the Firewalls and virtual networks page of these Storage Accounts, otherwise the health probes fail with error 404 (Private Endpoints shouldn't be affected by these settings).
I made an experiment:
a.) defined a Private DNS Zone for these Private Endpoints privatelink.web.core.windows.net and added to it relevant records resolving to private IPs;
b.) bound it to the VNET where an Application Gateway resides;
c.) stopped & started the Application Gateway;

Only after that the App Gateway resolved the staticsitename.z6.web.core.windows.net record to its Private Endpoint IP and was able to reach the Storage Account regardless of its Firewalls and virtual networks page settings.

So as I understand:

Application Gateway uses custom DNS servers assigned to its VNET to resolve most of its backend servers FQDNs.
However, for some of them (like Storage Accounts names under the windows.net domain) it uses the Azure built-in DNS service (168.63.129.16), ignoring custom DNS.
So the only way to make an App Gateway resolve correctly addresses of Private Endpoints for Storage Accounts (and possibly other PaaS resources) is to attach a Private DNS Zone to its VNET, making the built-in Azure DNS service to read records from this Zone.

I didn't find anything like this in documentation.

Questions:

Is this correct?
If it is, what's the logic behind this way of splitting DNS queries? Is there any way to disable it?

Thanks,
Mucius.

Cat Mucius 91 Reputation points

2022-02-01T23:14:19.99+00:00
Yes, I know the architecture.
Moreover, as I mentioned, I tried binding a Private DNS Zone directly to the VNET hosting my Application Gateway - and it worked, the Storage Account's endpoint got resolved to its private IP.

My question is:

Why on earth would Application Gateway send some queries to my DNS forwarders configured for its VNET - and other queries to Azure DNS resolver 168.63.129.16? Usually a DNS client would send all queries to the same set of resolvers, regardless of a queried domain.

In what other cases would it do this? What is the guiding principle?

Unfortunately, this is not documented anywhere. I opened a ticket regarding the documentation - https://github.com/MicrosoftDocs/azure-docs/issues/87157 - but it seems nobody reacts to it.

Regards,
@Cat Mucius .
Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-02-03T16:48:51.937+00:00

@Cat Mucius ideally in both scenarios the queries should go to your custom DNS servers. Have you tried disabling the public network for Storage? If yes, what do you observe then?
Cat Mucius 91 Reputation points

2022-02-08T20:40:36.03+00:00

Technically, when the App Gateway resolved the DNS name of the Storage Account's service to a public IP, it used "Service Endpoint" to reach the Storage Account (the Microsoft.Storage Service Endpoint is assigned to the subnet where the App Gateway is deployed). So it's not exactly "public access".

Anyway, if I block any way to access the Storage Account except by the Private Endpoint (remove all public IPs and all VNETs & subnets from its Firewalls and virtual networks page) - then the requests forwarded via the App Gateway fail with error 404 The requested content does not exist (since the Gateway didn't resolve its DNS name to the private IP at all).

Do you have any idea why some queries from App Gateways go to custom DNS servers, and some - to Azure native DNS? Can you ask relevant engineers in what other cases this can happen?

Thanks,
@Cat Mucius .
Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-02-10T19:45:54.943+00:00

@Cat Mucius As mentioned earler, all the DNS queries should pass through your custom DNS if the private DNS Zone is set up properly and your custom DNS is setup to forward those queries to 168.63.129.16 (Azure DNS IP) whether it is App Service or Storage.

Please investigate your DNS forwarder settings for the issue.

Thanks!
Cat Mucius 91 Reputation points

2022-02-15T02:16:02.057+00:00

Again, the problem is not how my custom DNS servers are configured (and they are configured okay, they use 168.63.129.16 as their forwarder and they can resolve the Private DNS Zones records).

The problem is that Application Gateways go directly to the 168.63.129.16 resolver for the z6.web.core.windows.net records, bypassing and ignoring my custom DNS servers - while happily using them for other records, such as the azurewebsites.net records.

Can you please ask the team responsible for the development of Application Gateway product, what's the reason for this and in which cases can this happen?

Thanks,
@Cat Mucius .
SaiKishor-MSFT 17,321 Reputation points

2022-02-18T17:36:55.463+00:00

@Cat Mucius Please allow me to reach out to our internal team regarding this and get back to you with more details as soon as possible. Thank you!

Accepted answer

SaiKishor-MSFT 17,321 Reputation points

2022-02-18T19:20:06.683+00:00

@Cat Mucius

Your observations are correct; we pin a subset of FQDNs to always utilize Azure DNS (168.63.129.16 address). This is as per design due to Azure's internal architecture. As a workaround, customers can associate the privatelink DNS zone to the virtual network, regardless if they are utilizing custom DNS servers on the Vnet or not. This experience will be improved in an upcoming feature, targeted for the back half of this year. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.
Please sign in to rate this answer.

1 person found this answer helpful.
Cat Mucius 91 Reputation points

2022-02-20T09:04:54.76+00:00

Thank you!
Do you know what exact FQDNs belong to this subset? Except z6.web.core.windows.net?

Jack Stromberg 21 Reputation points Microsoft Employee

2022-02-25T20:58:53.223+00:00

Hey @Cat Mucius ,

Thank you for reaching out and apologies for the confusion/frustration with this experience.

I'm one of the PMs from the Application Gateway engineering team. In our next update, name resolution for private link endpoints will honor the DNS configuration applied to the virtual network that Application Gateway is deployed in. In the interim, for any endpoint that application gateway sends traffic to, with a *.privatelink address, you will need to have an Azure Private DNS zone associated to the VNet with the proper records. I will update this thread once the change is live and the private dns zone is no longer required.

Thank you for your patience on this one!
-Jack

Jack Stromberg 21 Reputation points Microsoft Employee

2022-04-06T20:14:41.693+00:00

Hello team --

Just wanted to close out this thread that private link dns resolutions should now honor custom dns configuration on your virtual network.

Cheers!
Jack

Josh Taylor 1 Reputation point

2022-12-14T00:52:44.64+00:00

Is this actually in production at this point? I just spent more time that I care to admit troubleshooting why a new WAFv2 Application Gateway could not get its certs (trusted root certs and cert for front end listener) from the Key Vault. It turns out it was this exact issue. Custom DNS server that has private DNS zones linked to the DNS server's vnet. Resolution from everything but the Application Gateway returned the proper private address for the key vault. Directly linking the private DSN zone to the vnet of the Application Gateway (plus a gateway stop/start) fixed the issue.

Jack Stromberg 21 Reputation points Microsoft Employee

2022-12-14T03:46:52.667+00:00

Yes, the change was rolled out, which enables backend pool targets to resolve privatelink FQDNs without the private zone attached. For key vault references for listeners, you still require the non-private link FQDN, which unfortunately will require association of the zone. This has been explicitly documented in our Key Vault docs page: https://zcusa.951200.xyz/azure/application-gateway/key-vault-certs#verify-firewall-permissions-to-key-vault

In 2023, we will be releasing new functionality to Application Gateway, which includes a feature change in how DNS resolution is honored. The change will fully honor custom DNS servers defined on the vnet, eliminating the need for the private DNS zone to be applied. In other words, the hub/spoke model where the custom DNS resolvers reside in the hub and the gateway resides in a spoke pointing to the resolver in the hub, will be fully supported and resolve requests via the custom resolver as expected. I don't have a specific ETA to share at this time, but can confirm the work is well underway.

Jack

Philip Street 0 Reputation points

2023-04-05T17:12:40.14+00:00

Would the "new feature" you mentioned be DNS Private Resolver? Update: ignore this as I hadn't spotted the reply that contained the answer to my question.

Diaz, Anthony 0 Reputation points

2023-10-20T21:15:17.11+00:00

@Jack Stromberg do have an update ETA on when this functionality will be rolled out in 2023? My org. is running into the same issue.

Eddy Vera 0 Reputation points

2024-12-31T13:08:04.79+00:00

@JACK STROMBERG Also, interested in the ETA on this (it's almost 2025 now), why is the App gateway the only resource not honouring the custom DNS server? And it is also badly documented, should be documented on the Gateway side also, not just on the Key vault side. The Private resolver Centralised architecture as described by you (Microsoft), does not work with App Gateway: https://zcusa.951200.xyz/en-us/azure/dns/private-resolver-architecture#centralized-dns-architecture
If the App GW is in a spoke (which is at 1 of our customers, I know that is another discussion), then a custom DNS inbound endpoint IP to the Private resolver is not enough for App Gateway, but for other resources it does work perfectly. We now also, have to add a direct VNET link between the VNET of the AGW and the Private DNS Zone of the (Key)Vault.

Jack Stromberg 21 Reputation points Microsoft Employee

2024-12-31T15:10:33.13+00:00

Full honoring of a custom DNS zone is available in this public preview: https://zcusa.951200.xyz/azure/application-gateway/application-gateway-private-deployment?tabs=portal

Although the feature release is primarily targeting private deployments of Application Gateway, you can still configure a public facing frontend and retain the DNS functionality if desired. General availability is planned next calendar year (I don't have more specifics to share publicly).

Jack Stromberg 21 Reputation points Microsoft Employee

2024-12-31T15:13:41.7733333+00:00

Full honoring of your custom DNS resolver is included in this public preview feature release: https://zcusa.951200.xyz/azure/application-gateway/application-gateway-private-deployment?tabs=portal

Although the feature is primarily targeting private Application Gateway deployments, it introduces feature changes that can also be used when your intent is a public frontend. GA is tentatively planned for next calendar year, however I do not have more specifics to share publicly at this time.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

Vidya Narasimhan 2,126 Reputation points Microsoft Employee

2022-01-30T15:16:46.74+00:00

@Cat Mucius Whether it is App Service or Storage, private endpoint name resolution for Private Link resources can be done via Azure Private DNS or your DNS forwarder that forwards DNS queries to the recursive resolvers in Azure provided via the virtual IP 168.63.129.16 .
Please go through some of the best practices provided in the below link
https://zcusa.951200.xyz/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale#private-link-and-dns-integration-in-hub-and-spoke-network-architectures
You can create private dns zones for the private link resources. The DNS Server Vnet can be linked to the private DNS Zones. The DNS servers use the Azure-provided DNS resolver (168.63.129.16) as a forwarder. All workload VNets can use the DNS servers hosted as the primary and secondary DNS servers.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Jeroen Bonsel 6 Reputation points

2022-11-07T10:02:19.28+00:00

Also do not forget to enable NETWORK POLICY FOR PRIVATE ENDPOINTS.
Even if you have dns resolution working, Without the network policy, route tables to private endpoints are ignored.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Application Gateways do not resolve Private Endpoints of storage accounts via custom DNS servers

2 additional answers

Your answer