Share via

Private DNS Zone not resolving to private IP for Azure MySQL via VPN Gateway Point to site

Abdelrhman Goma 95 Reputation points
2025-08-13T11:01:54.4466667+00:00

I have an Azure MySQL Flexible Server (vpn-db-test.mysql.database.azure.com) with a Private Endpoint connected to my VNet. I created a Private DNS Zone privatelink.mysql.database.azure.com and linked it to the same VNet as the private endpoint.

When I run an nslookup from Azure Cloud Shell, I get the public IP instead of the private IP:

nslookup vpn-db-test.mysql.database.azure.com
Server:  168.63.129.16
Address: 168.63.129.16#53

Non-authoritative answer:
vpn-db-test.mysql.database.azure.com canonical name = vpn-db-test.privatelink.mysql.database.azure.com.
Name: vpn-db-test.privatelink.mysql.database.azure.com
Address: 85.x.x.x (public IP)

Expected: it should return the private IP of the Private Endpoint.

I have already:

Created and linked the Private DNS Zone to the VNet.

Verified the Private Endpoint is in the same VNet/subnet.

Tested from a VM inside the VNet — still resolves to the public IP.

How can I ensure DNS resolution for Azure MySQL goes to the private IP when connected via VPN? and also i can't access the db throw sql workbench as well

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
0 comments
Accepted answer
  1. Priya ranjan Jena 265 Reputation points Microsoft External Staff Moderator
    2025-08-14T07:23:02.3033333+00:00

    Hi @Abdelrhman Goma ,

    Regarding to your query above for getting public IP instead of the private IP while creating a Private DNS Zone privatelink.mysql.database.azure.com and linked it to the same VNet as the private endpoint.

    Hope above comment helps you & in addition to that,

    1.Please check the DNS resolution is correctly routing through your Private DNS Zone or not

    2.Verify that the Private DNS Zone is linked to the same VNet where the Private Endpoint is deployed.

    3.Ensure auto-registration is disabled.

    4.Azure Cloud Shell runs in a separate VNet and does not use your custom DNS settings.

    therefore,it will resolve to the public IP, so, use a VM inside your VNet to test DNS resolution or configure a custom DNS forwarder (e.g., Azure Firewall DNS proxy or a VM running DNS) and point your VNet to it.

    5.Testing from Inside the VNet

    Run nslookup vpn-db-test.mysql.database.azure.com from a VM inside the same VNet as the Private Endpoint.

    Please find the microsoft link for the reference.

    https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    For access to db throw sql workbench:

    1.If you're using Azure Database for MySQL, please check for incorrect or expired password.

    2.Confirm that MySQL is running on the server and listening on the correct port (default is 3306).

    If you find this comment helpful, Please do not forget to “up-vote” for the information provided , this can be beneficial to community members.

    Please let us know if you have any further queries.

    Thanks

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TP 134.2K Reputation points Volunteer Moderator
    2025-08-13T21:24:26.7666667+00:00

    Hi @Abdelrhman Goma

    1. Please navigate to the Private Endpoint -- Settings -- DNS configuration and make sure it shows the customer visible FQDN vpn-db-test.mysql.database.azure.com and private IP. Next on same screen make sure it has configuration for FQDN: vpn-db-test.privatelink.mysql.data.azure.com with private IP and the private DNS zone you created.

    If the DNS zone configuration isn't there click Add configuration and add it.

    2. Please navigate to the private DNS zone -- DNS Management -- Recordsets and verify there is an A record for vpn-db-test pointing to the private IP

    3. Please test from VM on same VNet using nslookup to see if correct private IP is returned. If you want to test using Azure Cloud Shell, it needs to be integrated with the VNet. If you test using normal Azure Cloud Shell that will return public IP since it performs lookups against public.

    4. For connections via VPN, you will need to use Azure DNS Private Resolver with a DNS server on premises configured with conditional forwarding so that DNS lookups from remote PCs will resolve to correct private IP.

    Or another "low-tech" solution would be to edit the hosts file on the remote PCs so that they have correct private IP for database. Hosts file is only okay for small number of PCs since it involves administrative overhead to edit hosts file on each PC.

    Please reply back with your findings/results, whether positive or negative. Please let me know if you have questions/concerns.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    -TP

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.