Cross-Tenant Azure App Service Private Endpoint DNS Not Resolving to Private IP

Question

Cross-Tenant Azure App Service Private Endpoint DNS Not Resolving to Private IP

Ash B 0

Hi all,

I’m working on a cross-tenant Azure App Service Private Endpoint configuration and am having trouble getting DNS resolution to return the Private Endpoint IP from a VM within my virtual network. I have followed Microsoft documentation and several troubleshooting guides, but DNS queries for the App Service hostname still resolve to the public IP and don't return the private IP as expected.

Scenario:

One tenant (Central) acts as the consumer and hosts the virtual network and a test VM.
A second tenant (tenant A) acts as the provider and hosts the Azure App Service.
A Private Endpoint is created in the consumer virtual network, targeting the App Service in the provider tenant.
A Private DNS zone for App Service Private Endpoints is created in the consumer tenant and linked to the virtual network.
The Private DNS zone contains an A record for the App Service regional private hostname that points to the Private Endpoint IP.
I have also tested adding a CNAME for the App Service short name pointing to the regional private hostname.

What I have tried:

Verified that the Private DNS zone is correctly linked to the virtual network.
Verified that the A record for the regional private hostname exists and points to the Private Endpoint IP.
Flushed the DNS cache on the VM.
Confirmed the VM is using Azure’s default DNS service.
DNS lookups for both the regional private hostname and the short hostname return “Non-existent domain.”
Connectivity tests to the Private Endpoint IP on port 443 succeed.
The App Service itself is running and accessible via the public endpoint when enabled.
No custom DNS servers or private DNS resolvers are configured.

Questions:

What might be missing in my DNS configuration for a cross-tenant App Service Private Endpoint scenario?
Is there an additional step required to make the regional private hostname resolvable from a VM in the consumer virtual network?
Do any additional DNS records need to be created manually, or is there a recommended approach for wiring up DNS in this setup?
Is it possible to have the standard App Service hostname resolve to the Private Endpoint IP in a cross-tenant configuration?
Are there any known platform limitations or common pitfalls with this type of deployment?

Thanks in advance for any guidance

Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator

2026-04-30T17:34:54.16+00:00
Hi @ Ash B,

Welcome to Microsoft Q&A Platform.

It sounds like you’ve got all the right bits in place but DNS for that cross-tenant App Service private endpoint still isn’t resolving to the private IP. Here’s what usually trips people up in a cross-tenant scenario and what you can try:

Make sure you’ve created the privatelink.azurewebsites.net zone in your consumer tenant (there isn’t any automatic DNS-zone linkage across tenants).

In that Private DNS Zone, add:

An A record for .privatelink.azurewebsites.net → PrivateEndpointIP

An A record for .scm.privatelink.azurewebsites.net → PrivateEndpointIP

Because you can’t actually own the public azurewebsites.net zone to add a CNAME in consumer, you have two options:

Point your own custom domain (e.g. myapp.contoso.com) via a CNAME to .privatelink.azurewebsites.net and have that domain resolve in your VNet’s DNS.

Or, if you really need to use the default .azurewebsites.net hostname, test via hosts file (for PoC) to map it to the private IP.

Ensure your VM is actually hitting Azure DNS (168.63.129.16). If you have a custom DNS server, you’ll need a conditional forwarder for privatelink.azurewebsites.net pointing to 168.63.129.16.

Test your setup:

From the VM, run nslookup .privatelink.azurewebsites.net 168.63.129.16

You should see the private‐endpoint IP. Confirm the Private Endpoint itself is in “Approved” state in the provider tenant’s Private Link Center, and that the subnet’s network policy is set to “Disabled” for Private Endpoints.

Remember:

You can’t automatically link the built-in Azure DNS zone (azurewebsites.net) across tenants – you must recreate and manage the privatelink zone yourself in the consumer tenant.

Only the *.privatelink.azurewebsites.net names are guaranteed to resolve to your private IP.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Ash B 0 Reputation points

2026-05-01T09:19:41.56+00:00

Thanks, this aligns with my current understanding. To confirm, for Azure App Service the only required Private DNS zone is privatelink.azurewebsites.net (non‑regional), linked to the consumer VNet, containing an A record for <appname>.privatelink.azurewebsites.net. If this zone is not linked or not resolving, the CNAME chain from azurewebsites.net will fail, resulting in public IP resolution or NXDOMAIN. There is no requirement for application‑level changes or routing configuration on the App Service side.
Ash B 0 Reputation points

2026-05-01T10:18:13.55+00:00
Thanks @Vallepu Venkateswarlu

I can confirm the following:

A privatelink.azurewebsites.net Private DNS zone exists in the consumer tenant.

Within that Private DNS zone, I have added:

An A record for <appname>.privatelink.azurewebsites.net pointing to the Private Endpoint IP

An A record for <appname>.scm.privatelink.azurewebsites.net pointing to the Private Endpoint IP

I have deliberately avoided creating any CNAMEs or configuring a custom domain to keep the setup simple and aligned with the default App Service hostname.

DNS cache has been flushed on the VM.

When I run the following from the VM:

nslookup <appname>.privatelink.azurewebsites.net 168.63.129.16

I get:

Server: UnKnown Address: 168.63.129.16 *** UnKnown can't find <appname>.privatelink.azurewebsites.net: Non-existent domain

My understanding is that this confirms the query is reaching Azure-provided DNS (168.63.129.16), but the name is not being resolved via a Private DNS zone visible to this VNet.

I can also confirm:

The Private Endpoint connection is in an Approved state in the provider tenant.

Connectivity to the Private Endpoint IP itself works. Running:

Test-NetConnection -ComputerName <PrivateEndpointIP> -Port 443

returns TcpTestSucceeded : True.

At this point, I am running out of additional troubleshooting steps to try.
Ash B 0 Reputation points

2026-05-05T17:47:07.2066667+00:00

I appear to have gotten a little further today. I’ve managed to get my A records working and can now confirm that my test VM not only has connectivity to the private endpoint, but can also resolve its IP address to the correct DNS name—so I know the A records are being entered correctly.

The trouble is, I still can’t access the web application over the private link. I initially thought the issue was related to the certificate not containing the full FQDN, so I also created a CNAME to shorten the hashed privatelink name down to a simpler hostname, but that doesn’t seem to help. It always adds .privatelink into the equation.

While this setup does prove that private DNS is working inside the VNet, it’s not giving me much confidence that communication across to the other tenant is working as intended. I’m not sure whether the issue lies with the Private Link setup, the certificate FQDN mismatch, or something else.

Any advice on what to check next would be appreciated.
Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator

2026-05-05T18:35:09.5033333+00:00
Hi @ Ash B,

Can you please share the below command results

nslookup <app>.azurewebsites.net nslookup <app>.privatelink.azurewebsites.net

Please follow the Cross-tenant secure access to apps by using private endpoints.
Ash B 0 Reputation points

2026-05-05T18:55:44.6366667+00:00

@Vallepu Venkateswarlu sure
Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator

2026-05-05T20:55:02.16+00:00
Hi @ Ash B, The issue was due to using the private endpoint FQDN instead of the App Service default hostname, which is not supported for direct access.

The private endpoint FQDN (*.privatelink.azurewebsites.net) correctly resolves to the private IP address

The default App Service hostname (*.azurewebsites.net) resolves via a CNAME chain to the private endpoint and returns the same private IP

DNS resolution is occurring through Azure-provided DNS (168.63.129.16)

Azure App Service does not serve traffic on the privatelink.azurewebsites.net hostname. The service routes requests based on the Host header, and only recognizes configured hostnames such as:

<app>.azurewebsites.net

3 answers

Your answer

Ash B 0 Reputation points

2026-05-01T09:19:41.56+00:00

Thanks, this aligns with my current understanding. To confirm, for Azure App Service the only required Private DNS zone is privatelink.azurewebsites.net (non‑regional), linked to the consumer VNet, containing an A record for <appname>.privatelink.azurewebsites.net. If this zone is not linked or not resolving, the CNAME chain from azurewebsites.net will fail, resulting in public IP resolution or NXDOMAIN. There is no requirement for application‑level changes or routing configuration on the App Service side.
Ash B 0 Reputation points

2026-05-01T10:18:13.55+00:00

Thanks @Vallepu Venkateswarlu

I can confirm the following:

A privatelink.azurewebsites.net Private DNS zone exists in the consumer tenant.

Within that Private DNS zone, I have added:

An A record for <appname>.privatelink.azurewebsites.net pointing to the Private Endpoint IP

An A record for <appname>.scm.privatelink.azurewebsites.net pointing to the Private Endpoint IP

I have deliberately avoided creating any CNAMEs or configuring a custom domain to keep the setup simple and aligned with the default App Service hostname.

DNS cache has been flushed on the VM.

When I run the following from the VM:

nslookup <appname>.privatelink.azurewebsites.net 168.63.129.16

I get:

Server: UnKnown Address: 168.63.129.16 *** UnKnown can't find <appname>.privatelink.azurewebsites.net: Non-existent domain

My understanding is that this confirms the query is reaching Azure-provided DNS (168.63.129.16), but the name is not being resolved via a Private DNS zone visible to this VNet.

I can also confirm:

The Private Endpoint connection is in an Approved state in the provider tenant.

Connectivity to the Private Endpoint IP itself works. Running:

Test-NetConnection -ComputerName <PrivateEndpointIP> -Port 443

returns TcpTestSucceeded : True.

At this point, I am running out of additional troubleshooting steps to try.
Ash B 0 Reputation points

2026-05-05T17:47:07.2066667+00:00

I appear to have gotten a little further today. I’ve managed to get my A records working and can now confirm that my test VM not only has connectivity to the private endpoint, but can also resolve its IP address to the correct DNS name—so I know the A records are being entered correctly.

The trouble is, I still can’t access the web application over the private link. I initially thought the issue was related to the certificate not containing the full FQDN, so I also created a CNAME to shorten the hashed privatelink name down to a simpler hostname, but that doesn’t seem to help. It always adds .privatelink into the equation.

While this setup does prove that private DNS is working inside the VNet, it’s not giving me much confidence that communication across to the other tenant is working as intended. I’m not sure whether the issue lies with the Private Link setup, the certificate FQDN mismatch, or something else.

Any advice on what to check next would be appreciated.
Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator

2026-05-05T18:35:09.5033333+00:00

Hi @ Ash B,

Can you please share the below command results

nslookup <app>.azurewebsites.net nslookup <app>.privatelink.azurewebsites.net

Please follow the Cross-tenant secure access to apps by using private endpoints.
Ash B 0 Reputation points

2026-05-05T18:55:44.6366667+00:00

@Vallepu Venkateswarlu sure
Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator

2026-05-05T20:55:02.16+00:00

Hi @ Ash B, The issue was due to using the private endpoint FQDN instead of the App Service default hostname, which is not supported for direct access.

The private endpoint FQDN (*.privatelink.azurewebsites.net) correctly resolves to the private IP address

The default App Service hostname (*.azurewebsites.net) resolves via a CNAME chain to the private endpoint and returns the same private IP

DNS resolution is occurring through Azure-provided DNS (168.63.129.16)

Azure App Service does not serve traffic on the privatelink.azurewebsites.net hostname. The service routes requests based on the Host header, and only recognizes configured hostnames such as:

<app>.azurewebsites.net

Answer 1

Hi @ Ash B,

Thanks for your response.

The issue is caused by incorrect DNS configuration for App Service Private Endpoint. In cross-tenant scenarios, DNS is not automatically integrated, so you must manually create a Private DNS zone named privatelink.azurewebsites.net in the consumer tenant and add an A record for <appname>.privatelink.azurewebsites.net pointing to the Private Endpoint IP.

The standard App Service hostname resolves via a CNAME chain to this private zone, so without the correct zone and record, DNS queries return NXDOMAIN.

Please follow the Cross-tenant secure access to apps by using private endpoints and verify the configuration.

Diagram that shows how a private endpoint securely connects a user on a virtual machine (VM) in one tenant to a web app in another tenant.

Ref: Troubleshoot Azure Private Endpoint connectivity problems

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 3

The DNS behavior matches a misconfigured or incomplete Private Endpoint DNS setup. For App Service Private Endpoints, DNS must be wired so that the standard hostname (for example, webapp.azurewebsites.net) ultimately resolves to the private endpoint IP via the privatelink zone.

Key points for this scenario:

DNS flow for cross-tenant App Service Private Endpoint

From the cross-tenant architecture:

The VM queries webapp.azurewebsites.net.
Azure public DNS returns a CNAME: webapp.privatelink.azurewebsites.net.
A private DNS zone handles webapp.privatelink.azurewebsites.net and returns an A record with the private endpoint IP.
The VM connects to the private endpoint IP over HTTPS.

If the VM is still resolving to a public IP or gets Non-existent domain, the private DNS zone for privatelink.azurewebsites.net is either missing, not correctly linked, or doesn’t contain the correct A record.

Required DNS configuration in the consumer tenant

For an App Service Private Endpoint in a consumer VNet:

Create an Azure Private DNS zone for the App Service private endpoint zone, for example:
- privatelink.azurewebsites.net (or the appropriate regional/private zone for App Service as documented in the Private Endpoint DNS values).
Link this private DNS zone to the consumer virtual network that hosts the VM.
Ensure the private DNS zone contains an A record for the private endpoint FQDN (for example, webapp.privatelink.azurewebsites.net) pointing to the private endpoint IP.

From the DNS integration guidance:

DNS is critical because the service FQDN must resolve to the private endpoint IP instead of the public IP.
For workloads in a virtual network, use a Private DNS zone linked to that VNet and ensure the A record exists and points to the private endpoint IP.
Avoid mixing multiple services in the same Private DNS zone; use a zone per like-service private endpoint to prevent record deletion or conflicts.

Why Non-existent domain appears

If nslookup for the regional private hostname and short hostname returns Non-existent domain from the VM:

The VM is using Azure-provided DNS, which only resolves:
- Names within the same VNet, and
- Names in linked Private DNS zones.
If the private DNS zone for privatelink.azurewebsites.net is not correctly linked to the VNet, or the A record is missing, the query will fail and fall back to public DNS, which then returns the public IP or NXDOMAIN depending on the name.

The troubleshooting guidance for private endpoints and virtual networks emphasizes:

Verify that the private DNS zone exists for the resource type (for example, privatelink.azurewebsites.net for App Service).
Verify that the private DNS zone is linked to the virtual network.
Verify that the A record exists and matches the private endpoint IP.

Additional steps for cross-tenant scenarios

In cross-tenant architectures:

Each tenant maintains its own private DNS zone and links it to its own VNets.
The consumer tenant must have its own private DNS zone for the privatelink domain and link it to the consumer VNet.
If the VM doesn’t have access to the private DNS zone, Azure public DNS will resolve webapp.privatelink.azurewebsites.net to a public IP, and HTTPS requests to that IP receive 403 Forbidden.

Therefore, in this scenario, the missing piece is typically:

Ensuring the consumer tenant’s private DNS zone for privatelink.azurewebsites.net is correctly configured and linked, and
Ensuring the VM’s DNS resolution path actually uses that private DNS zone.

Manual records and standard hostname resolution

The A record for webapp.privatelink.azurewebsites.net must exist in the private DNS zone and point to the private endpoint IP.
The standard hostname webapp.azurewebsites.net is handled by Azure public DNS, which returns the CNAME to webapp.privatelink.azurewebsites.net. No additional public DNS records should point directly to privatelink.azurewebsites.net.
The provider can configure a custom domain via a CNAME that references the public azurewebsites.net entry, but that CNAME must not point directly to privatelink.azurewebsites.net.

In a correctly configured setup, the standard App Service hostname resolves to the private endpoint IP via the CNAME chain and the private DNS zone. No extra public records are required beyond what the platform creates.

Common pitfalls and limitations

Common issues highlighted in the guidance:

Overriding a zone that’s actively used to resolve public endpoints without proper DNS forwarding can break resolution.
Using a single Private DNS zone for multiple different services or private endpoints can cause record deletion and resolution issues.
Not linking the private DNS zone to the correct VNet, or relying solely on Azure-provided DNS without Private DNS zones, leads to public IP resolution instead of private IP.
If the user or service doesn’t have access to the private DNS zone, queries resolve to a public IP and receive 403 Forbidden.

Summary of what is likely missing:

A correctly configured and linked Private DNS zone for the App Service privatelink domain in the consumer tenant, with an A record for the private endpoint FQDN pointing to the private endpoint IP.
Ensuring the VM’s DNS path uses that private DNS zone so that webapp.azurewebsites.net → CNAME webapp.privatelink.azurewebsites.net → A record (private endpoint IP) works end-to-end.

References:

Share via

Cross-Tenant Azure App Service Private Endpoint DNS Not Resolving to Private IP

3 answers

Your answer