Azure VNet Name Resolution - Complete Guide
Overview
Name resolution in Azure Virtual Networks (VNets) is a critical component that enables resources to communicate using friendly names instead of IP addresses. Azure provides several DNS resolution options, each with specific use cases and traffic flow patterns.
Key Concepts:
- Azure-provided DNS: Default DNS service for basic name resolution
- Custom DNS: Your own DNS servers for advanced scenarios
- Azure DNS Private Zones: Managed DNS zones for private name resolution
- DNS Forwarders: Conditional forwarding for hybrid scenarios
Azure-provided DNS Architecture
graph TD
A[VM in VNet] -->|DNS Query| B[Azure DNS 168.63.129.16]
B -->|Resolve| C[Azure Internal DNS]
C -->|Return IP| B
B -->|Response| A
D[VM in Different VNet] -->|DNS Query| B
E[Internet Resource] -->|External Query| F[Public DNS]
B -->|Forward External| F
F -->|Response| B
B -->|Response| A
style A fill:#e1f5fe
style B fill:#ffecb3
style C fill:#f3e5f5
style D fill:#e8f5e8
style E fill:#fff3e0
style F fill:#fce4ec
Traffic Flow Explanation:
This diagram shows how Azure-provided DNS (168.63.129.16) handles name resolution. VMs send DNS queries to Azure's DNS service, which resolves internal Azure resources through the internal DNS system and forwards external queries to public DNS servers. The Azure DNS service acts as a recursive resolver, handling both internal Azure resource names and external internet domains.
Custom DNS Server Architecture
graph TD
A[VM in VNet] -->|DNS Query| B[Custom DNS Server]
B -->|Internal Query| C[Local DNS Records]
B -->|Forward to Azure| D[Azure DNS 168.63.129.16]
B -->|Forward External| E[Public DNS]
C -->|Response| B
D -->|Azure Resource Response| B
E -->|External Response| B
B -->|Final Response| A
F[VNet DNS Settings] -->|Points to| B
G[On-premises DNS] -->|Conditional Forward| B
B -->|Hybrid Queries| G
style A fill:#e1f5fe
style B fill:#ffab40
style C fill:#81c784
style D fill:#ffecb3
style E fill:#f48fb1
style F fill:#ce93d8
style G fill:#90caf9
Traffic Flow Explanation:
With custom DNS servers, VMs send queries to your designated DNS server first. The custom DNS server checks local records, forwards Azure-specific queries to Azure DNS (168.63.129.16), and handles external queries through public DNS or on-premises infrastructure. This setup enables hybrid scenarios where on-premises DNS can conditionally forward queries to Azure DNS servers.
Azure DNS Private Zones Architecture
graph TD
A[VM in VNet] -->|DNS Query| B[Azure DNS 168.63.129.16]
B -->|Check Private Zone| C[Azure DNS Private Zone]
C -->|Match Found| D[Private Zone Records]
D -->|Return Private IP| C
C -->|Response| B
B -->|Private Resolution| A
B -->|No Match| E[Public DNS/Azure DNS]
E -->|Public Resolution| B
F[VNet Link] -->|Associates| C
G[Auto-registration] -->|VM Records| C
style A fill:#e1f5fe
style B fill:#ffecb3
style C fill:#c8e6c9
style D fill:#dcedc8
style E fill:#f8bbd9
style F fill:#b39ddb
style G fill:#ffcdd2
Traffic Flow Explanation:
Azure DNS Private Zones provide authoritative DNS resolution for private domains. When a VM queries a name, Azure DNS first checks linked private zones. If a match is found, it returns the private IP address. If no match exists, the query proceeds to public DNS resolution. VNet links associate private zones with virtual networks, and auto-registration can automatically create DNS records for VMs.
Hybrid DNS Resolution Architecture
graph TD
A[On-premises VM] -->|DNS Query| B[On-premises DNS]
B -->|Azure Domain Query| C[DNS Forwarder in Azure]
C -->|Forward to Azure DNS| D[Azure DNS 168.63.129.16]
D -->|Azure Resolution| C
C -->|Response| B
B -->|Response| A
E[Azure VM] -->|DNS Query| F[Custom DNS in Azure]
F -->|On-premises Query| G[VPN/ExpressRoute]
G -->|Forward to On-premises| B
B -->|On-premises Resolution| G
G -->|Response| F
F -->|Response| E
H[Private DNS Zone] -->|Linked to VNet| F
I[Conditional Forwarder] -->|Routes specific domains| B
style A fill:#ffecb3
style B fill:#c8e6c9
style C fill:#e1f5fe
style D fill:#ffab40
style E fill:#e1f5fe
style F fill:#ffab40
style G fill:#f48fb1
style H fill:#dcedc8
style I fill:#ce93d8
Traffic Flow Explanation:
Hybrid DNS resolution enables seamless name resolution between on-premises and Azure environments. On-premises DNS servers use conditional forwarders to route Azure-specific queries to DNS forwarders in Azure, which then query Azure DNS. Similarly, Azure VMs can query on-premises resources through custom DNS servers that forward queries over VPN or ExpressRoute connections.
DNS Query Resolution Flow
sequenceDiagram
participant VM as Azure VM
participant DNS as DNS Server
participant PZ as Private Zone
participant AD as Azure DNS
participant PD as Public DNS
VM->>DNS: DNS Query (example.com)
DNS->>PZ: Check Private Zone
alt Private Zone Match
PZ->>DNS: Return Private IP
DNS->>VM: Private IP Response
else No Private Zone Match
DNS->>AD: Check Azure DNS
alt Azure Resource
AD->>DNS: Return Azure IP
DNS->>VM: Azure IP Response
else External Domain
AD->>PD: Forward Query
PD->>AD: Public IP Response
AD->>DNS: Public IP Response
DNS->>VM: Public IP Response
end
end
Sequence Flow Explanation:
This sequence diagram shows the complete DNS resolution process. When a VM makes a DNS query, it first checks private zones for matches. If found, it returns the private IP immediately. If not found, it checks Azure DNS for Azure resources or forwards to public DNS for external domains. This hierarchical approach ensures efficient resolution with proper priority handling.
Command Implementation Flow
graph LR
A[1. Create Resource Group] --> B[2. Create VNet]
B --> C[3. Create Subnet]
C --> D[4. Configure DNS Settings]
D --> E[5. Create Private DNS Zone]
E --> F[6. Link VNet to Private Zone]
F --> G[7. Create DNS Records]
G --> H[8. Create VMs]
H --> I[9. Configure Custom DNS]
I --> J[10. Test Resolution]
style A fill:#ffcdd2
style B fill:#f8bbd9
style C fill:#e1bee7
style D fill:#c5cae9
style E fill:#bbdefb
style F fill:#b2dfdb
style G fill:#c8e6c9
style H fill:#dcedc8
style I fill:#f0f4c3
style J fill:#fff9c4
Command Flow Explanation:
This diagram shows the logical order of Azure CLI commands needed to implement DNS resolution. Each step builds upon the previous one, starting with basic infrastructure (resource group, VNet, subnet), then configuring DNS components (private zones, links, records), and finally creating and configuring VMs with custom DNS settings.
Step-by-Step Implementation
Step 1: Create Resource Group
az group create \
--name myResourceGroup \
--location eastus
Parameters Explanation:
- --name: Name of the resource group (container for resources)
- --location: Azure region where resources will be created
Alternative Options:
- --tags: Add metadata tags (e.g., --tags environment=dev project=dns)
Command Flow Context:
This is the first command in the sequence. Resource groups are logical containers that hold related resources. All subsequent resources will be created within this group, making management and cleanup easier.
Step 2: Create Virtual Network
az network vnet create \
--resource-group myResourceGroup \
--name myVNet \
--address-prefix 10.0.0.0/16 \
--location eastus
Parameters Explanation:
- --resource-group: References the resource group created in step 1
- --name: Name of the virtual network
- --address-prefix: IP address range for the VNet (CIDR notation)
- --location: Must match the resource group location
Alternative Options:
- --dns-servers: Custom DNS servers (e.g., --dns-servers 10.0.0.4 10.0.0.5)
- --subnet-name: Create default subnet simultaneously
- --subnet-prefix: Address range for default subnet
Command Flow Context:
This is the second command in the sequence. The VNet provides the network foundation for all resources. The address prefix determines the IP range available for subnets and resources within this VNet.
Step 3: Create Subnet
az network vnet subnet create \
--resource-group myResourceGroup \
--vnet-name myVNet \
--name mySubnet \
--address-prefix 10.0.1.0/24
Parameters Explanation:
- --resource-group: References the resource group
- --vnet-name: References the VNet created in step 2
- --name: Name of the subnet
- --address-prefix: IP range for this subnet (must be within VNet range)
Alternative Options:
- --network-security-group: Associate NSG with subnet
- --route-table: Associate custom route table
- --service-endpoints: Enable service endpoints (e.g., Microsoft.Storage)
Command Flow Context:
This is the third command in the sequence. Subnets segment the VNet into smaller networks. Resources like VMs will be deployed into these subnets. The subnet address prefix must be a subset of the VNet address space.
Step 4: Create Private DNS Zone
az network private-dns zone create \
--resource-group myResourceGroup \
--name contoso.local
Parameters Explanation:
- --resource-group: References the resource group
- --name: Fully qualified domain name for the private zone
Alternative Options:
- --tags: Add metadata tags to the DNS zone
Best Practices:
- Use a domain that won't conflict with public DNS
- Common patterns: company.local, internal.company.com
- Avoid using public domain names you don't own
Command Flow Context:
This is the fourth command in the sequence. Private DNS zones provide authoritative DNS resolution for private domains. This zone will handle name resolution for the specified domain within linked VNets.
Step 5: Link VNet to Private DNS Zone
az network private-dns link vnet create \
--resource-group myResourceGroup \
--zone-name contoso.local \
--name myVNetLink \
--virtual-network myVNet \
--registration-enabled true
Parameters Explanation:
- --resource-group: References the resource group
- --zone-name: References the private DNS zone from step 4
- --name: Name for this VNet link
- --virtual-network: References the VNet from step 2
- --registration-enabled: Auto-register VM DNS records (true/false)
Alternative Options:
- --tags: Add metadata tags to the link
Command Flow Context:
This is the fifth command in the sequence. VNet links associate private DNS zones with virtual networks. With registration enabled, VMs created in the linked VNet will automatically have DNS records created in the private zone.
Step 6: Create DNS A Record
az network private-dns record-set a create \
--resource-group myResourceGroup \
--zone-name contoso.local \
--name webapp
az network private-dns record-set a add-record \
--resource-group myResourceGroup \
--zone-name contoso.local \
--record-set-name webapp \
--ipv4-address 10.0.1.10
Parameters Explanation:
- First command creates the record set:
- --zone-name: References the private DNS zone
- --name: DNS record name (will resolve as webapp.contoso.local)
- Second command adds the IP address:
- --record-set-name: References the record set created above
- --ipv4-address: IP address to resolve to
Alternative Record Types:
- CNAME: az network private-dns record-set cname create
- PTR: az network private-dns record-set ptr create
- MX: az network private-dns record-set mx create
- TXT: az network private-dns record-set txt create
Command Flow Context:
These are the sixth and seventh commands in the sequence. DNS records define name-to-IP mappings. The first command creates an empty record set, and the second adds the actual IP address. This two-step process allows for multiple IP addresses per name.
Step 7: Create Virtual Machine
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Ubuntu2204 \
--subnet mySubnet \
--vnet-name myVNet \
--admin-username azureuser \
--generate-ssh-keys \
--size Standard_B2s
Parameters Explanation:
- --resource-group: References the resource group
- --name: Name of the virtual machine
- --image: Operating system image (Ubuntu2204, Win2022Datacenter, etc.)
- --subnet: References the subnet from step 3
- --vnet-name: References the VNet from step 2
- --admin-username: Administrator username
- --generate-ssh-keys: Auto-generate SSH keys for Linux VMs
- --size: VM size (determines CPU/memory/cost)
Alternative Options:
- --admin-password: Use password instead of SSH keys
- --public-ip-address: Control public IP creation
- --nsg: Associate specific network security group
- --private-ip-address: Assign static private IP
Command Flow Context:
This is the eighth command in the sequence. The VM is created in the subnet and will automatically use Azure-provided DNS (168.63.129.16) unless custom DNS is configured. If auto-registration is enabled, a DNS record will be created automatically.
Step 8: Configure Custom DNS Server
az network vnet update \
--resource-group myResourceGroup \
--name myVNet \
--dns-servers 10.0.1.4 168.63.129.16
Parameters Explanation:
- --resource-group: References the resource group
- --name: References the VNet to update
- --dns-servers: List of DNS servers in priority order
DNS Server Options:
- 10.0.1.4: Custom DNS server (primary)
- 168.63.129.16: Azure-provided DNS (fallback)
- Multiple servers: Space-separated list for redundancy
Important Notes:
- Changes require VM restart to take effect
- Always include 168.63.129.16 for Azure resource resolution
- Order determines priority (first server is primary)
Command Flow Context:
This is the ninth command in the sequence. This command configures the VNet to use custom DNS servers. All VMs in the VNet will use these DNS servers for name resolution. VMs need to be restarted for the change to take effect.
Step 9: Create DNS Forwarder VM
az vm create \
--resource-group myResourceGroup \
--name dnsForwarder \
--image Ubuntu2204 \
--subnet mySubnet \
--vnet-name myVNet \
--admin-username azureuser \
--generate-ssh-keys \
--size Standard_B1s \
--private-ip-address 10.0.1.4
Parameters Explanation:
- --private-ip-address: Static IP that matches DNS server configuration
- --size: Smaller size (B1s) since this is just for DNS forwarding
- Other parameters same as previous VM creation
Post-Creation Setup Required:
- Install and configure DNS server software (BIND, dnsmasq, etc.)
- Configure forwarding rules for different domains
- Set up conditional forwarding to Azure DNS
Command Flow Context:
This is the tenth command in the sequence. This VM will act as a DNS forwarder, receiving DNS queries from other VMs and forwarding them to appropriate DNS servers based on the domain being queried.
Step 10: Test DNS Resolution
# Test from within a VM
nslookup webapp.contoso.local
# Test Azure DNS resolution
nslookup myVM.internal.cloudapp.net
# Test external DNS resolution
nslookup microsoft.com
Test Commands Explanation:
- First command: Tests private DNS zone resolution
- Second command: Tests Azure internal DNS resolution
- Third command: Tests external DNS resolution
Alternative Testing Tools:
- dig: More detailed DNS query tool (Linux)
- ping: Tests name resolution and connectivity
- host: Simple DNS lookup tool
Command Flow Context:
These are the final validation commands. Run these from within VMs to verify that DNS resolution is working correctly for private zones, Azure resources, and external domains.
Advanced DNS Configuration
Conditional Forwarding Setup
# Create conditional forwarder rule
az network dns forwarding-rule create \
--resource-group myResourceGroup \
--ruleset-name myForwardingRuleset \
--name azureForwarding \
--domain-name "azure.local" \
--forwarding-targets '[{"ip":"168.63.129.16","port":53}]'
Parameters Explanation:
- --ruleset-name: Name of the DNS forwarding ruleset
- --name: Name for this specific forwarding rule
- --domain-name: Domain to forward (queries for this domain)
- --forwarding-targets: JSON array of target DNS servers
Use Cases:
- Forward specific domains to different DNS servers
- Hybrid scenarios with on-premises DNS
- Multi-cloud DNS resolution
Private DNS Zone with Multiple VNets
# Link additional VNet to same private DNS zone
az network private-dns link vnet create \
--resource-group myResourceGroup \
--zone-name contoso.local \
--name myVNet2Link \
--virtual-network myVNet2 \
--registration-enabled false
Parameters Explanation:
- --virtual-network: References second VNet
- --registration-enabled false: Disable auto-registration for this VNet
Multi-VNet Scenarios:
- Shared DNS zones across multiple VNets
- Hub-and-spoke network topologies
- Cross-region name resolution
DNS Resolution Scenarios
graph TD
A[DNS Query Types] --> B[Internal Azure Resources]
A --> C[Private DNS Zones]
A --> D[External Domains]
A --> E[On-premises Resources]
B --> F[VM Names]
B --> G[PaaS Services]
B --> H[Load Balancers]
C --> I[Custom Domains]
C --> J[Application Services]
C --> K[Database Services]
D --> L[Internet Sites]
D --> M[Public APIs]
D --> N[CDN Endpoints]
E --> O[Domain Controllers]
E --> P[File Servers]
E --> Q[Legacy Applications]
style A fill:#ffcdd2
style B fill:#f8bbd9
style C fill:#e1bee7
style D fill:#c5cae9
style E fill:#bbdefb
DNS Query Types Explanation:
This diagram categorizes different types of DNS queries and their typical use cases. Each category requires different DNS resolution strategies and may involve different DNS servers or forwarding rules.
Best Practices and Troubleshooting
Common Issues:
- DNS Cache: VMs cache DNS responses; restart or flush cache after changes
- DNS Server Order: First server in list is primary; order matters
- Azure DNS Dependency: Always include 168.63.129.16 for Azure resource resolution
- Private Zone Links: Ensure VNets are properly linked to private DNS zones
Performance Optimization:
- Use multiple DNS servers for redundancy
- Place DNS servers close to clients (same region)
- Configure appropriate TTL values for DNS records
- Monitor DNS query performance and response times
Monitoring and Validation
# Check DNS configuration
az network vnet show \
--resource-group myResourceGroup \
--name myVNet \
--query dhcpOptions.dnsServers
# List private DNS zones
az network private-dns zone list \
--resource-group myResourceGroup \
--output table
# Check VNet links
az network private-dns link vnet list \
--resource-group myResourceGroup \
--zone-name contoso.local \
--output table
Monitoring Commands:
- First command: Displays current DNS server configuration
- Second command: Lists all private DNS zones
- Third command: Shows VNet links for a specific zone
Summary
Azure VNet name resolution provides flexible options for DNS resolution in cloud and hybrid environments. The key components work together to provide seamless name resolution:
| Component |
Purpose |
When to Use |
| Azure-provided DNS |
Default DNS service |
Simple scenarios, Azure resources only |
| Custom DNS Servers |
Advanced DNS control |
Complex routing, hybrid scenarios |
| Private DNS Zones |
Private domain resolution |
Internal applications, microservices |
| DNS Forwarding |
Conditional forwarding |
Multi-environment, selective routing |
Remember: Always test DNS resolution after configuration changes and monitor performance to ensure optimal operation. DNS is critical infrastructure that affects all network communication.