Snippets

Azure snippet: detect Private Endpoint DNS drift

A short check to compare the expected DNS chain, returned private address, and test path from a workload or CI runner.

03 Jun 2026 azureprivate-endpointdnsterraformdriftrunbook

Private Endpoint drift is often invisible while a public exception still lets the service answer. The useful test is to verify the CNAME chain, final private address, and exact path from which the test runs.

bash check-private-endpoint-drift-dns.sh

SERVICE_FQDN="stordersprod.blob.core.windows.net"
EXPECTED_CNAME="privatelink.blob.core.windows.net"
EXPECTED_PRIVATE_PREFIX="10.50.20."

printf "Test path: %s
" "$(hostname)"
nslookup "$SERVICE_FQDN"
CNAME_RESULT=$(dig +short CNAME "$SERVICE_FQDN")
IP_RESULT=$(dig +short "$SERVICE_FQDN" | tail -n 1)

printf "CNAME: %s
" "$CNAME_RESULT"
printf "IP: %s
" "$IP_RESULT"

test "${CNAME_RESULT#*$EXPECTED_CNAME}" != "$CNAME_RESULT" || echo "WARN: CNAME does not use expected privatelink zone"
test "${IP_RESULT#$EXPECTED_PRIVATE_PREFIX}" != "$IP_RESULT" || echo "WARN: IP does not match expected private prefix"

Run the same test from the workload and from the Terraform runner. If one of those paths still returns a public address, the next network change can turn that drift into an incident.