Share via

how communication and\or dns resolution works in azure VM to the internt?

sapir k 20 Reputation points
2025-11-26T13:30:55.8166667+00:00

hi:)

i would like to understand the traffic flow from azure VM to the internet, and through which component it is passing through. and with that how the dns query for public name works.

i understand that if i want to reach a specific address my vm send a dns query, its going to azure dns which have a static ip of 168.63.129.16 in my vnet. if its private name it will go to azure private dns service... but if its a public name it goes to azure private resolver (mabey i got the process wrong) and then i dont understand what is happening. is the dns query getting out through the outbound endpoint? (vpn getaway\load balancer etc)

and then okay its out in the WAN but it goes to authoritative dns server? and then from there it get translated to ip and then from there the conversetion between the public ip and the vm can continue?

i searched the whole internet for an answer and whould really like some help thank you!

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
Answer accepted by question author
  1. Vallepu Venkateswarlu 1,235 Reputation points Microsoft External Staff Moderator
    2025-11-26T18:13:52.6866667+00:00

    Hi @ sapir k,

    Welcome to Microsoft Q&A Platform.

    Azure VMs send all DNS queries—both private and public—to the Azure-provided DNS server at 168.63.129.16, which handles internal VNet name resolution as well as internet (public) DNS resolution inside Azure. These DNS queries do not use your outbound path (NAT Gateway, Azure Firewall, VPN Gateway, Load Balancer, etc.).

    If the queried name is private, Azure resolves it using Private DNS Zones or any custom forwarding rules you configure (such as via Azure DNS Private Resolver). If the queried name is public, Azure still resolves it internally, using Azure’s recursive DNS infrastructure—not your public IP and not your outbound components.

    Only after the VM receives the resolved public IP does the actual outbound connection follow your configured egress path (NAT Gateway, Firewall, Load Balancer, UDR → VPN/ER, etc.).

    Ref: Azure-provided name resolution and Azure IP address 168.63.129.16

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-26T13:32:12.2233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In Azure, communication from a virtual machine (VM) to the internet involves several components and processes, particularly concerning DNS resolution. Here’s a breakdown of how this works:

    1. DNS Query Initiation: When an Azure VM needs to reach a public address, it first sends a DNS query to resolve the domain name into an IP address. This query is directed to Azure's DNS service, which is accessible via the static IP address 168.63.129.16. This IP is used by Azure-provided DNS for name resolution.
    2. Public vs. Private DNS Resolution:
      • For private names, the query is handled by Azure Private DNS, which manages and resolves domain names within the virtual network.
      • For public names, the DNS query is forwarded to Azure DNS, which then resolves the name by querying authoritative DNS servers on the internet.
    3. Outbound Traffic Flow: After the DNS resolution process, if the query is for a public IP, the VM can then initiate outbound traffic. This traffic typically flows through Azure's infrastructure, which may include components such as a VPN gateway or load balancer, depending on your network configuration.
    4. Reaching Authoritative DNS Servers: Once the DNS query is resolved, the VM can communicate with the public IP address. The DNS query indeed reaches the authoritative DNS servers on the internet, which provide the final IP address corresponding to the domain name.
    5. Continuing Communication: After obtaining the public IP address, the VM can establish a connection to that IP, allowing for ongoing communication over the internet.

    In summary, the process involves the VM sending a DNS query to Azure DNS, which resolves it (either through private or public DNS services), and then the VM can communicate with the resolved public IP address through Azure's outbound traffic pathways.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.