Blog Post

Azure Infrastructure Blog
2 MIN READ

Enhancing Azure Private DNS Resiliency with Internet Fallback

adityakumar60's avatar
adityakumar60
Icon for Microsoft rankMicrosoft
Feb 27, 2025

Azure Private DNS provides a robust way to manage DNS records within your Azure virtual networks. However, complex network configurations, especially those utilizing Azure Private Link, can introduce DNS resolution challenges. The newly introduced internet fallback feature significantly enhances resiliency by providing a seamless failover mechanism.

The Challenge: DNS Resolution Gaps

In intricate Azure environments, particularly those involving:

  • Multiple Virtual Networks: Each with its own isolated Private DNS zone.
  • Azure Private Link: Where services are accessed via private endpoints.
  • Hybrid Environments: Where on-premises DNS servers are integrated.
  • Multi-tenant and Multi-subscription deployments: increasing complexity.

You may encounter:

  • NXDOMAIN Errors: When a resource attempts to resolve a private endpoint's DNS name, and the linked Private DNS zone lacks the necessary record.
  • Interrupted Connectivity: Caused by outages in on-premises DNS or isolated Private DNS zones.
  • Application Downtime: Due to failed dependencies on Private Link services.
  • Increased Operational Overhead: For troubleshooting and resolving DNS issues.

The Solution: Internet Fallback

Azure Private DNS internet fallback acts as a safety net, ensuring continuity by:

  • Automatic Failover: When an NXDOMAIN error occurs, it automatically attempts to resolve the DNS name using public DNS resolvers.
  • Temporary Resilience: Allowing applications to function, albeit with potentially increased latency.
  • Minimizing Downtime: Reducing the impact of DNS resolution issues.

Tutorial: Enabling Internet Fallback

  1. Navigate to your Private DNS Zone:
    • In the Azure portal, locate and select your Private DNS zone.
  2. Access Zone Configuration:
    • Go to the "Zone Configuration" section.
  3. Enable Internet Fallback:
    • Toggle the "Enable internet failback" switch to the "On" position.
    • Navigate to the Virtual Network Link: If needing to enable it on a per link basis, navigate to the virtual network link on the private DNS zone.
    • Edit the link: Click on edit to change the link configuration.
    • Enable "fallback to internet": Check the box to enable the fallback.
    • Save: Save your changes.

Why This Matters

  • Improved Application Availability: Reduces downtime caused by DNS resolution failures.
  • Enhanced Resilience: Protects against disruptions in on-premises or isolated DNS environments.
  • Simplified Management: Minimizes the need for manual intervention during DNS outages.

Verification

  • Verify the configuration by querying fallback-enabled virtual network links using Azure Resource Graph Explorer or the Azure CLI.

Conclusion

Azure Private DNS internet fallback is a crucial feature for ensuring the reliability and resilience of your Azure applications. By providing a seamless failover mechanism, it minimizes the risk of DNS resolution failures, ensuring continuous connectivity and minimizing application downtime.

Disclaimer:

  • This article is for informational purposes only.
  • Configuration options may vary depending on your Azure environment.

Always refer to the official Azure documentation for the latest information

Updated Feb 27, 2025
Version 2.0
updates
  • Boopathi_Sarvesan's avatar
    Boopathi_Sarvesan
    Copper Contributor
    Mar 03, 2025

    Much needed functionality!! The addition of internet fallback to Azure Private DNS zones will solve so many problems for our hybrid cloud deployments and Azure #MachineLearning DNS  resolutions