Azure Private DNS with Terraform — Foundation Before Private Endpoints
In this guide we explore how to deploy Azure Private DNS Terraform and why it forms the architectural foundation behind Private Endpoints and private platform services.
When engineers start working with private networking in Azure, they usually begin with Private Endpoints. They deploy a storage account, create a private endpoint, and then try to understand why services suddenly resolve differently inside their network. But private connectivity in Azure is not only about networking. It is also about DNS. Before private services can be accessed inside a Virtual Network, Azure needs a mechanism that resolves service names to private IP addresses instead of public ones. That mechanism is Azure Private DNS.
In this article we will look at the DNS foundation layer used in private Azure architectures and how it can be deployed using Terraform/OpenTofu.
Azure Platform Architecture in Practice
In real-world Azure environments, DNS is not an isolated component.
It becomes part of a larger platform architecture that includes:
Virtual Networks
security boundaries
outbound connectivity
private endpoints
platform services
container platforms such as Kubernetes
At FoggyKitchen I explore this architecture step by step across multiple articles and courses.
If you want to see how these components are designed together as a full platform, I cover the complete implementation in my course:
The course walks through the full architecture including networking, private connectivity and infrastructure automation.
👉 See the full Azure infrastructure with Terraform architecture model: Azure Infrastructure with Terraform – Architecture Model
Why Private DNS Matters
Azure services normally resolve through public DNS.
For example:
storageaccount.blob.core.windows.net
This resolves to a public IP address.
However, when a service is exposed through a Private Endpoint, Azure changes the resolution path.
Instead of public DNS, the service is resolved through a Private DNS zone, such as:
privatelink.blob.core.windows.net
Inside a Virtual Network, this zone maps the service name to a private IP address.
Without this DNS layer:
applications may still try to reach public endpoints
internal connectivity becomes unreliable
private networking loses its purpose.
That is why Private DNS should be treated as a platform foundation, not just an optional configuration step.
Azure Private DNS allows private name resolution inside Virtual Networks as described in the official Microsoft documentation.
Azure Private DNS Terraform — Architecture Overview
The Terraform/OpenTofu example presented here creates a minimal DNS architecture consisting of:
an Azure Virtual Network
a Private DNS Zone
a Virtual Network link connecting the DNS zone to the VNet
This simple pattern establishes the DNS boundary for the platform.
The architecture intentionally does not include any private endpoints yet.
The goal is to create the DNS foundation first — so that services can later register private records automatically.
Figure 1. Azure Private DNS Zone linked to a Virtual Network — establishing the DNS foundation for private services.
The Role of the VNet Link
A Private DNS Zone on its own does not affect name resolution inside a network.
Resolution becomes active only when the zone is linked to a Virtual Network.
This link allows resources inside the VNet to resolve DNS records stored in the private zone.
From an architectural perspective the pattern looks like this:
Virtual Network
↓
Private DNS Zone
↓
Private services
Where Private DNS Appears in Real Architectures
The DNS layer becomes visible when platform services are deployed inside the network.
Several FoggyKitchen articles show this pattern in real deployments.
Azure Storage Private Endpoints
Azure Storage services automatically populate DNS records when exposed through Private Endpoints.
Examples include:
Both architectures extend the DNS foundation by adding private endpoints that register service records in the Private DNS zone.
Azure Database for PostgreSQL
Private DNS is also critical when deploying Azure Database for PostgreSQL Flexible Server inside a Virtual Network.
The service relies on DNS resolution to connect applications to the database endpoint through private networking.
You can see this architecture in detail here: Azure PostgreSQL Flexible Server with Terraform/OpenTofu
This example combines:
delegated subnets
database services
private DNS integration.
Multicloud Perspective
Interestingly, the same architectural principle appears in other cloud providers.
In Oracle Cloud Infrastructure, Private DNS zones play a similar role by enabling internal service discovery across networks.
If you work in multicloud environments, you may find this article useful: OCI Private DNS with Terraform/OpenTofu
Across clouds, DNS consistently acts as a foundation layer for private service connectivity.
From DNS Foundations to Full Platform Architecture
In real environments it connects with:
- Virtual Networks and subnet design
- NSG-based security boundaries
- NAT Gateway outbound architecture
- Private Endpoints for storage and databases
These components form the backbone of modern Azure environments.
👉 DNS is what allows all of them to work together as a coherent system. If you want to see how these building blocks are implemented together using Terraform/OpenTofu — step by step, as a complete Azure platform:
➡️ Explore the Azure Fundamentals course: https://foggykitchen.com/courses/azure-fundamentals-terraform-course/
The course shows how networking, private connectivity, and infrastructure automation come together into a real-world architecture.
Conclusion
Private connectivity in Azure is often explained from the perspective of network interfaces and endpoints.
But the real foundation of private networking is DNS resolution.
By creating a Private DNS Zone linked to a Virtual Network, we establish a reusable architectural layer that allows platform services to integrate seamlessly into the network.
Once this foundation exists, services such as storage, databases and Kubernetes workloads can rely on the same DNS infrastructure.
Understanding this layer is a key step toward designing clean, production-grade Azure architectures with Terraform/OpenTofu.
From Private DNS to Real Azure Platform Architecture
Private DNS is what makes private connectivity actually work.
Without DNS resolution, private endpoints, storage, and compute cannot integrate into a coherent platform.
This layer is a foundation of real-world Azure architectures.
🔒 Lifetime • ⚙️ Networking & DNS Labs • 🧠 Architecture-first
Check also other courses:
🆕 OCI–Azure Interconnect in Practice: FastConnect & ExpressRoute with Terraform/OpenTofu
🆕 Multicloud Advanced Networking: Azure & OCI deployed with Terraform/OpenTofu
