![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 95%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 23%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
Hi @ Perez, Alexis (ACS),
Welcome to Microsoft Q&A Platform.
What’s needed in Active Directory DNS to force Azure resources to resolve Azure Container Apps ( .azurecontainerapps.io ) to Private IP instead of Public IP? Do we need a new zone or a forwarder?
On-prem client resolves an Azure private name by forwarding the query from the on-prem AD DNS server to the Inbound Endpoint of Azure DNS Private Resolver.
Azure DNS then consults the Private DNS Zone and returns the private IP. If you get a public IP instead, likely causes are:
- No conditional forwarder on AD DNS pointing to the inbound endpoint IP.
- Inbound endpoint is missing or unreachable (wrong subnet/NSG/VPN).
- Private DNS Zone is missing, not linked, or missing the A records.
To resolve the issue, verify that your Active Directory DNS conditional forwarder points to the inbound endpoint IP address. Ensure that the inbound endpoint is deployed in a dedicated subnet and is reachable over VPN or ExpressRoute with UDP/TCP port 53 allowed. Confirm that the private DNS zone and records exist and are correctly linked to the virtual network.
Follow the Traffic flow for an on-premises DNS query for more details.
If you are trying to access Container Apps from a private network, make sure to enable a Private Endpoint for the container. This will automatically create a Private DNS Zone and link it to the selected VNet. Ensure that you select the same VNet where your resource is configured; if it is different, configure VNet peering.
Note: Make sure public network access is disabled on the ACA environment, so that only the private endpoint is used, making the private DNS override meaningful.
Ref: Private endpoints and DNS for virtual networks in Azure Container Apps environments
Azure Private Endpoint DNS integration Scenarios
Kindly let us know if the above helps or you need further assistance on this issue.
Please 
and “up-vote” if the information helped you. This will help us and others in the community as well.