Add DNS info for Azure Private Link with App Services that use "Unique Default Hostnames"

[mikeclayton]

Documentation Improvement Request

The documentation at Using Private Endpoints for App Service apps describes the required DNS configuration for App Services that use a Private link.

However, this appears to be slightly different for App Services that use Unique Default Hostnames because the default hostname for the App Service includes a region name - e.g.

test-a6gqaeashthkhkeu.eastus-01.azurewebsites.net 

It's not obvious from the documentation whether the Private DNS Zone should be:

privatelink.<region>.azurewebsites.net

or

<region>.privatelink.azurewebsites.net

so some clarification in the documentation would be super helpful. (Note that other services that include a region in the fqdn have privatelink as a prefix - e.g. privatelink.northeurope.backup.windowsazure.com and privatelink.northeurope.azmk8s.io)

Possible Bug with Unique Default Hostnames?

I'm not sure where the best place to report this is - if there's a better place please let me know.

I've tried attaching Private DNS Zones in both name formats to a Private Link connected to an App Service that uses a Unique Default Hostname and neither work, with the following problems:

• <region>.privatelink.azurewebsites.net - when attaching this zone to the Private Endpoint in a DNS Configuration the A records from the App Service (test-a6gqaeashthkhkeu.eastus-01.azurewebsites.net , test-a6gqaeashthkhkeu.eastus-01.scmazurewebsites.net don't get added automatically to the Private DNS Zone as they normally do with App Services with non-Unique Default Hostnames.

• privatelink.<region>.azurewebsites.net - when attaching this zone to the Private Endpoint in a DNS Configuration the A records from the App Service (test-a6gqaeashthkhkeu.eastus-01.azurewebsites.net , test-a6gqaeashthkhkeu.eastus-01.scmazurewebsites.net do get added automatically to the Private DNS Zone but the CNAME returned from appears to be test-a6gqaeashthkhkeu.<region>.privatelink.azurewebsites.net, so the recursive DNS query to resolve the CNAME fails.

Our DNS setup is... complex... so there could be something wrong in our configuration, but clarifying the required Private DNS Zone setup per above would at least confirm which one we should be using.

[ManoharLakkoju-MSFT]

@mikeclayton
Thanks for your feedback! We will investigate and update as appropriate.

[Naveenommi-MSFT]

@mikeclayton
Thank you for bringing this to our attention.
I've delegated this to content author @msangapu-msft, who will review it and offer their insightful opinions.

[mikeclayton]

It turns out I was doing the wrong thing - the Azure Private DNS Zone to attach to the Private Endpoint for web apps that use Unique Default Hostnames is neither of these:

• privatelink.<region>.azurewebsites.net
• <region>.privatelink.azurewebsites.net

It's in fact, the same as web apps that don't use Unique Default Hostnames:

• privatelink.azurewebsites.net

What happens is the A records that get automatically created in the Private DNS Zone include the <region> part:

Name	Type	Value
mywebapp-<hash>.<region>	A	<private endpoint ip>
mywebapp-<hash>.scm.<region>	A	<private endpoint ip>

and this then resolves the fqdn mywebapp-<hash>.<region>.privatelink.azurewebsites.net

I've added some specific details about this in PR #124485 in case it helps others...