Configure DNS forwarding for Azure Files

Title: Configure DNS forwarding for Azure Files using VMs or Azure DNS Private Resolver — Summary

Overview

• Azure Files supports private endpoints so file share traffic can travel over private networks (VNets) and on-premises connections (VPN or ExpressRoute).

• To make sure client lookups resolve to the private endpoint IP (instead of the public IP), you must forward the storage endpoint suffix (core.chinacloudapi.cn for 21Vianet regions) to Azure’s private DNS service.

• Two DNS forwarding options:

  • DNS server VMs in Azure (conditional forwarders to Azure DNS).

  • Azure DNS Private Resolver (managed service; point on-premises forwarders to its inbound endpoint).

Applies to (file share types)

• Standard file shares (GPv2), LRS/ZRS: SMB = Yes, NFS = No

• Standard file shares (GPv2), GRS/GZRS: SMB = Yes, NFS = No

• Premium file shares (FileStorage), LRS/ZRS: SMB = Yes, NFS = Yes

Key concepts

• Every storage account has an FQDN (storageaccount.file.core.chinacloudapi.cn). By default it resolves to the public endpoint.

• Creating a private endpoint links a private DNS zone to the VNet and creates a CNAME pointing the public FQDN to a privatelink A record (private IP). For on-premises clients to resolve that private IP, DNS queries for the storage suffix must be forwarded into Azure private DNS.

Prerequisites

• A storage account with an Azure file share.

• A private endpoint for that storage account.

• Latest Azure PowerShell module.

How to configure DNS forwarding

1. Using DNS server VMs

• On on-premises DNS servers: create a conditional forwarder for the storage endpoint suffix to point at your Azure DNS server VM IPs.

  • Example PowerShell:

    • Set $vnetDnsServers to your Azure DNS VM IPs and add a conditional forwarder for the storage endpoint suffix (obtained from Get-AzContext).

• On Azure DNS servers: add a conditional forwarder for the storage endpoint suffix pointing to Azure’s reserved IP 168.63.129.16 so queries are forwarded to Azure Private DNS.

1. Using Azure DNS Private Resolver

• Instead of VM DNS servers, point your on-premises conditional forwarder at the resolver’s inbound endpoint IP.

• The resolver forwards queries to Azure private DNS by default if the private zone is linked to the resolver’s VNet.

• Example PowerShell: set $privateResolver to the resolver inbound IP and add the conditional forwarder for the storage endpoint suffix.

Warnings and considerations

• Forwarding the entire core.chinacloudapi.cn zone to your Azure DNS infrastructure means all queries for that public domain go to your Azure DNS. This can cause cross-tenant resolution issues (private endpoints in another tenant may produce CNAMEs not present in your private DNS zone). Workaround: create a cross-tenant private endpoint for that storage account.

Verification

• Clear local DNS cache: Clear-DnsClientCache

• Resolve the storage FQDN: Resolve-DnsName -Name storageaccount.file.core.chinacloudapi.cn

  • Expected: A CNAME to storageaccount.privatelink.file.core.chinacloudapi.cn and an A record with the private IP.

• For SMB shares, check TCP connectivity: Test-NetConnection -ComputerName storageaccount.file.core.chinacloudapi.cn -CommonTCPPort SMB

References

• Create an Azure file share: https://docs.azure.cn/en-us/storage/files/storage-how-to-create-file-share

• Create a private endpoint: https://docs.azure.cn/en-us/storage/files/storage-files-networking-endpoints#create-a-private-endpoint

• Azure DNS Private Resolver (portal): https://docs.azure.cn/en-us/dns/dns-private-resolver-get-started-portal

• Additional guidance:

  • Planning for an Azure Files deployment: https://docs.azure.cn/en-us/storage/files/storage-files-planning

  • Azure Files networking considerations: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

  • Configuring Azure Files network endpoints: https://docs.azure.cn/en-us/storage/files/storage-files-networking-endpoints

Last update mentioned in the article: 09/30/2025