Azure Private DNS Zone get automatically deleted

Apurva Pathak 360

Hi all,

We've deployed a centralized Azure Private DNS Zone in our environment to get the IPs of Private Endpoints (mostly) resolved (we use on Prem DNS servers for all other resources such as VMs etc.) and are slowly moving all our Private Endpoints DNS Zones from the local to the centralized one. But we have noticed a bizarre behavior in some cases where in, if we are changing our DNS zone integration of private endpoints from local to that subscription to the centralized one, the entries in the local private zones get automatically deleted by 'Azure Traffic Manager and DNS' initiator (pasting a snip below).

User's image

Could you please help me understand, if this is an expected behavior, if yes, why. Is it possible to change this behavior. Any reference link would be highly appreciated.

Thanks in advance!

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-05T10:11:03.24+00:00
@Apurva Pathak

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that the Private DNS Zones, when unlinked from a Private EndPoint , automatically removes the record in the Private DNS Zone.

Let's call the local subscription as "LocalDNSZone" and centralized one as "CentralDNSZone".

I believe this is an expected behavior, and currently we cannot over ride this.

However, if you want to keep the record intact, may I ask why you would remove the LocalDNSZone from the Private endpoint?

You must make use of the Private DNS zone group.

A PE can have one DNS Zone group

Each DNS zone group can support up to 5 DNS zones.

Please let us know if you have any queries on this.

Thanks,

Kapil
Apurva Pathak 360 Reputation points

2023-09-05T13:20:51+00:00

Thanks for clarifying, Kapil!

Could you please why the records get removed automatically from the LocalDNSZone when we remove the DNS Group configuration from the Private Endpoint. Because let's say at some point of time, if I want to use the LocalDNSZone that won't be possible.
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-05T13:43:36.47+00:00
@Apurva Pathak

You are welcome.

When you delete the configuration in the Private EndPoint, you are actually:

deleting the configuration in the DNS Zone group of the PE (removing the link between the Zone and the PE)

and also the record in the Private DNS Zone.

This is how the platform works, at least, currently, that's the behavior.

I understand your concern that you might want to use a LocalDNSZone in the future,

It is possible if you add the configuration in the PE to use/include this LocalDNSZone in it's Zone group

The record should be recreated once you set up the link

But frankly, I doubt that scenario would arrive, atleast, wrt disaster recovery or high availability.

Because Private DNS Zones are highly available and are not bound to any region.

So, your CentralDNSZone is always available for resolution as long the VNET is linked to it.

However, I do understand there might be other factors leading to the requirement of using a LocalDNSZone.

You can leave the LocalDNSZone intact and thus the record never gets deleted by the platform.

If the above is not feasible, I am afraid we have to manually update the records in the LocalDNSZone.

I shall check internally if this behavior can be overridden but I doubt that will be the case.

Cheers,

Kapil.
Apurva Pathak 360 Reputation points

2023-09-05T13:57:07.85+00:00

Thanks clarifying this, Kapil!

But, we cannot keep both the zones at the same time. Pasting a snip for that reference:
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-05T14:30:24.97+00:00
@Apurva Pathak

Looks like a portal validation error.

I was able to do this via Azure CLI .

However, I noticed that while link was successfully created, CentralDNSZone did not get updated with DNS entries.

Reference : https://video2.skills-academy.com/en-us/cli/azure/network/private-endpoint/dns-zone-group?view=azure-cli-latest

az network private-endpoint dns-zone-group add --endpoint-name <YourPeName> -g <YourPeRgName> -n <YourPeZoneGroupName> --zone-name <NameYouWantToGiveToTheCentralDnsZone> --private-dns-zone <ResourceIdOfCentralDnsZone>

Wrt Portal, the fields are

YourPeZoneGroupName = DNS Zone group

this should be "default" for your case

NameYouWantToGiveToTheCentralDnsZone = Configuration name

I have reached out to the internal teams regarding the DNS record not getting updated automatically post linking.

I shall share their updates once I receive them.

Meanwhile, you can go ahead and link the DNS Zone, and manually update the DNS Zone record in the Parent DNS Zone.

Apologies for the inconvenience.

Feel free to let me know should there be any queries

Cheers,

Kapil :)
Apurva Pathak 360 Reputation points

2023-09-05T15:51:17.0133333+00:00

@KapilAnanth-MSFT

Thanks for sharing this, but I face this issue with every PE. Every time, I try to integrate PE with CentralDNSZone, it shows this error. And, when I remove the LocalDNSZone it works fine.

However, if I try to integrate a different DNSZone other than the existing one for e.g., notebooks.azure.net (existing LocalDNSZone) and notebooks.azure.net (existing Local/CentralDNSZone ) both in PE for Azure Machine Learning service, it works fine with no issues.

So, what I think is that same PE may not be configured with two same DNSZones, please do correct me if I am wrong.
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-05T16:04:27.5166667+00:00
@Apurva Pathak

"but I face this issue with every PE. Every time, I try to integrate PE with CentralDNSZone, it shows this error. And, when I remove the LocalDNSZone it works fine."

Exactly

However, this is because of Portal Validation error, not because the resource cannot support it.

I was able to do this using CLI, see below:

Please use the CLI command I shared above to link multiple zones with same name to a PE.

Cheers,

Kapil
Apurva Pathak 360 Reputation points

2023-09-05T16:10:20.89+00:00

@KapilAnanth-MSFT

Thanks a lot for clarifying!

Is it not possible to change 'DNS Zone group' from portal while adding the new zone? I did try this but no luck.
Apurva Pathak 360 Reputation points

2023-09-06T12:32:35.14+00:00

@KapilAnanth-MSFT

I am unable to accept you comments as answer, could you please reply in as an ansswer.

Also, any help with below error would be appreciated:
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-06T13:13:24.1133333+00:00
@Apurva Pathak

Apologies for the delay.

A PE can have only one DNS Zone group

Each DNS zone group can support up to 5 DNS zones in it.

I shall summarize our discussion and post it as an answer.

Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

Cheers,

Kapil.
Ceci Ivanov 25 Reputation points

2023-11-10T10:18:40.4966667+00:00

Hello, i have a similar case scenario in which,
there was a client who had centralized private dns zone (but i am not sure of how exactly it was implemented) in which they had a private dns zone for keyvault with a record for specific keyvault which resides in northeurope. I added a private endpoint in westeurope linked to the same dns zone for DR but when i added it i think it overwrited the record (i didn't have access to look at it but when i was resolving it with nslookup i got the new one private endpoint). After that because i didn't want to keep it that way i deleted from portal the new private endpoint (westeurope). Normally it had to delete the whole record in the private dns zone leaving orphan the old private endpoint with no actual record of it's ip in the private dns zone (i made a simillar environment and it had the exact behaviour and the interesting part was what i could still see the dns configuration from the portal of the private endpoint showing that it has one with the correct IP, but in the private dns zone there was no record and i could not actualy resolve from northeurope the keyvault as i had at starters).

But, i did not get that behaviour as expected because the old record was still there and i could still resolve the keyvault from the northeurope private endpoint as the begining. Does anyone has an idea of how the record was kept.. because it's an environment i don't have access and can't find how it's implemented. The only possible scenario i think of is some kind of policy ? or some how that when i added the new private endpoint it didn't overwrited the record but added a new one with the same name?

I also know that they don't have some kind of deployifnotexists policy.

Thank you!
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-10T14:10:51.83+00:00
Ceci Ivanov

Your environment is not clear.

When you create a new private endpoint and use the same Private DNS Zone,

You would have created a new PaaS service

This would have a different name.

So, linking this new PaaS service's Private EndPoint will not overwrite the old PaaS service's Private EndPoint, as they will have different names.

In this case, you should be able to resolve both the Private EndPoint IPs from the same Private DNS Zone.

Cheers,

Kapil
Ceci Ivanov 25 Reputation points

2023-11-10T14:44:20.8033333+00:00

What do you mean by new Pass Service why so? I have tried it myself if I create private endpoint for the same Service (resource id) aka the key vault, with the same Private DNS zone, it goes and overwrite the record
What am I missing ?
Ceci Ivanov 25 Reputation points

2023-11-10T14:51:08.2266667+00:00

the private endpoint have different name but the fqdn of the keyvault is the same
and i want to resolve the same fqdn. I know that it's not the right thing to have 2 private endpoints for same private dns zone because it would have conflict but in that case i wanted just to have the private endpoint and try it in case of failover.

But in my environment it actualy did overwrite the record and when i deleted the private endpoint it deleted the record too
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-12T06:17:53.22+00:00
Ceci Ivanov ,

Since you mentioned the resource was created in a different region,

"I added a private endpoint in westeurope linked to the same dns zone for DR" - I thought you were using a new PaaS Service altogether.

Now, for the same PaaS service with two PEs and one Private DNS Zone,

Creating first PE will add it's IP to the Private DNS Zone.

Creating second PE will overwrite the first PE's IP to the second PE's IP in Private DNS Zone.

Deleting the second PE will delete the record of the second PE's IP in Private DNS Zone.

Finally, the first PE's IP will not be automatically updated. This is an expected behavior.

Now, should you require the zone to get updated,

You have to manually add the first PE record to the Private DNS Zone

or

Delete the Private DNS Zone group.

And readd the Private DNS Zone group with the Private DNS Zone.

Default one:

Adding a new one after deleting the above:

This will update the Zone with the IP of the Private EndPoint.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-09-06T13:11:45.6766667+00:00
@Apurva Pathak

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that the Private DNS Zones, when unlinked from a Private EndPoint , automatically removes the record in the Private DNS Zone.

Let's call the local subscription as "LocalDNSZone" and centralized one as "CentralDNSZone".

I believe this is an expected behavior, and currently we cannot over ride this.

I checked internally and the recommendation was to use the "CentralDNSZone" across every VNET as Private DNS Zone is a highly available resource and is not tied to any region.

For some management reason, if you want to keep the record intact,

You must manually add the record to the "LocalDNSZone"

Additionally, you can add this Private DNS Zone to the default Private DNS Group and keep it handy.

However, only the first DNS Zone in a Zone group will have the records automatically updated. (CentralDNSZone)

In case you remove the "CentralDNSZone" from the DNS Zone Group, the next DNS Zone, "LocalDNSZone" will automatically get updated with the PE's IP and A records.

Currently, we must rely on CLI to update these DNS Zone groups.

Reference : https://video2.skills-academy.com/en-us/cli/azure/network/private-endpoint/dns-zone-group?view=azure-cli-latest

To address your query, "Is it not possible to change 'DNS Zone group' from portal while adding the new zone?"

Please note that a PE can have only one DNS Zone group at an instant.

You cannot add a second one.

If you'd like to change this DNS Zone Group's name, you must delete this and recreate this with the custom name.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure Private DNS Zone get automatically deleted

0 additional answers