Azure: How do I associate the private DNS zone with virtual networks across the subscriptions?

Question

I have 2 virtual networks in 2 different subscriptions as below:

• VNET1 : 192.168.0.0/24 in subscription#1 (HUB)
• VNET2 : 192.168.1.0/24 in subscription#2 (SPOKE)

I've created the peering and I am able to ping from both sides properly.

Now, I have created the Private Zone in subscription#1 (HUB) as shown below

resource "azurerm_private_dns_zone" "keyvalutzone" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = azurerm_resource_group.ipz12-dat-np-connection-rg.name

  depends_on = [
    azurerm_resource_group.ipz12-dat-np-connection-rg
  ]
}

and it is Linked with VNET as shown below

resource "azurerm_private_dns_zone_virtual_network_link" "network_link_hub_vnet_keyvalut" {
  name                  = "vnet_link_hub_keyvalut"
  resource_group_name   = azurerm_resource_group.ipz12-dat-np-connection-rg.name
  private_dns_zone_name = azurerm_private_dns_zone.keyvalutzone.name
  virtual_network_id    = azurerm_virtual_network.hub_vnet.id

  depends_on = [
    azurerm_private_dns_zone.keyvalutzone, 
    azurerm_virtual_network.hub_vnet
  ]  
}

Question: Do I need to associate this private DNS zone with all virtual networks including VNET2 in subscription#2 (SPOKE) so that private endpoints can be resolved in VNET2? If so, how do I associate this private DNS zone with VNET2?

Note: I have a Private DNS Resolver in subscription#1 (HUB) as it's inbound endpoint address is used as a custom DNS in VNET1 in subscription#1 (HUB)

resource "azurerm_private_dns_resolver" "hub_private_dns_resolver" {
  name                = "hub_private_dns_resolver"
  resource_group_name = azurerm_resource_group.ipz12-dat-np-connection-rg.name
  location            = azurerm_resource_group.ipz12-dat-np-connection-rg.location
  virtual_network_id  = azurerm_virtual_network.hub_vnet.id
}

resource "azurerm_private_dns_resolver_inbound_endpoint" "hub_private_dns_resolver_ie" {
  name                    = "hub_private_dns_resolver_ie"
  private_dns_resolver_id = azurerm_private_dns_resolver.hub_private_dns_resolver.id
  location                = azurerm_private_dns_resolver.hub_private_dns_resolver.location
  
  ip_configurations {
    private_ip_allocation_method = "Dynamic"
    subnet_id                    = azurerm_subnet.dns_resolver_inbound_subnet.id
  }
}

Answer 1

I tried to reproduce the same in my environment and got the results like below:

You can use virtual network that belong to different subscription with private dns zone make sure you have write operation permission on the virtual networks and the private DNS zone like Network Contributor and Private DNS zone Contributor roles

If you are using private endpoint in a hub-and-spoke model from a different subscription or same subscription It is recommended to link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

You can link a private DNS zone with N no of virtual network. It is also possible to connect a private zone to a virtual network that is a part of a different subscription.

Make sure to Enable auto registration whenever a new virtual machine is created automatically registered with this private dns zone.

Then I have created virtual machine it registered automatically and try to add record like below:

Now try to test private dns zone and configure the firewall on both virtual machines to allow inbound ICMP packets in RDP powershell like below:

New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

Now from this machine vm2(infra002) I am able to ping vm1 using the automatically registered host name like below:

Reference:

Azure Private Endpoint DNS configuration | Microsoft