Snippets

Azure snippet: check Private Endpoint DNS resolution

A short sequence to confirm that an Azure service exposed through Private Endpoint resolves to a private address from the right network.

02 Jun 2026 azureprivate-endpointdnsnetworkingtroubleshooting

Before troubleshooting the application, confirm the simplest path: the public Azure service name must resolve to the Private Endpoint address from the consuming network.

bash check-private-endpoint-dns.sh

SERVICE_FQDN="mystorageaccount.blob.core.windows.net"

nslookup "$SERVICE_FQDN"
dig +short "$SERVICE_FQDN"
curl -I "https://$SERVICE_FQDN" --connect-timeout 5

The expected result is not only a DNS answer. Check that the CNAME chain goes through privatelink and that the final address belongs to the expected private address plan.

text expected-result.txt

mystorageaccount.blob.core.windows.net
-> mystorageaccount.privatelink.blob.core.windows.net
-> 10.x.y.z

If resolution still returns a public address, the issue is often the Private DNS Zone association, hybrid DNS forwarding, or the fact that the test is not running from the right network.