Hot take: "Private endpoints fail for one reason: DNS ownership is unclear." |
If you have ever stared at a Private Endpoint that shows "Approved" and "Succeeded" while your app times out, you already know the punchline. The network path is rarely the first problem. Name resolution is.
A Private Endpoint is a private IP on a NIC. Everything that follows depends on one thing: the client must resolve the service FQDN to that private IP, from the network where the client sits. When that ownership is fuzzy, teams chase NSGs, routes, certificates, firewalls, and "Azure is down" theories for hours.
TL;DR
· Treat Private Endpoint troubleshooting as a DNS problem first, a networking problem second.
· From the same client that is failing, prove what DNS server it uses and what IP it gets back.
· If the answer is public, you are not on the private path. If the answer is NXDOMAIN, the private zone is missing or not reachable.
· Make one team the owner of Private DNS zones and VNet links. Without that, you will keep re-learning the same outage.
The mental model (30 seconds)
Private Link does not change your application. It changes where the name points.