I am currently preparing for the Microsoft Azure Security Technologies (AZ-500) exam and came across this question. The question is:
You have an Azure subscription that contains a storage account and an Azure web app named App1. App1 connects to an Azure Cosmos DB database named Cosmos1 that uses a private endpoint named Endpoint1. Endpoint1 has the default settings.
You need to validate the name resolution to Cosmos1.
Which DNS zone should you use?
The answer is available on different platforms, including the one I mentioned below, but I am unable to know the logic behind the correctness of this answer. I understand which option is right, but I want to know the detailed reasoning behind it. Can someone please explain the logic or concept behind the correct answer for this question? It would really help me and others who are preparing for the AZ-500 exam to understand similar scenarios better.
This is an issue with most of the “brain dump” style sites you find online. They will provide an answer, but they rarely explain it.
I asked Google AI and this was its answer:
“To validate the name resolution for your Cosmos DB private endpoint, you should use the privatelink.documents.azure.com Private DNS zone. This is the standard zone used by Azure for Cosmos DB accounts with private endpoints to resolve to a private IP address instead of the public one.”
AI went on to give more information, but the meat of the answer is above. The more AI drones on the more chance it can hallucinate things
The correct DNS zone is privatelink.documents.azure.com. When a private endpoint is created for Azure Cosmos DB, Azure automatically sets up a private DNS zone for name resolution. This allows the service, like App1 in your case, to resolve Cosmos1’s name to its private IP instead of the public one. It’s part of Azure Private Link’s design to keep communication secure and internal within the VNet.
