Unable to add Azure Private DNS Zone Configuration of Azure Private Endpoint

Troubleshooting

Problem

Introduction:

Private DNS is managed by resource block azurerm_private_dns_zone. We can create dns zones with same name in different resource group or subscription. However, we can attach only one at a time with the same name to the private endpoint using azurerm_private_endpoint resource block. It could be any resource which has mapped to private endpoint say, Service Account, Azure Databricks.

Problem:

Once you create two private dns zone in different resource group with same name and private endpoint, attach one DNS zone to private endpoint.

When you change the attribute value of dns_zone_ids from private_dns_zone_ids = [azurerm_private_dns_zone.example-newrg.id] to private_dns_zone_ids = [azurerm_private_dns_zone.example.id], it would end up with below error:

Error: creating Private DNS Zone Group "private_dns_zone_group" for Private Endpoint "pe-dbw-siramdev-001" (Resource Group "rg-svk-dbw-001"): network.PrivateDNSZoneGroupsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="UpdatingPrivateDnsZoneIdOnPrivateDnsZoneConfigNotAllowed"

To explain the problem and solution in a better way, adding some code snippet. This code is where service account is mapped to private endpoint:

resource "azurerm_resource_group" "example" {
  name     = "xxx"
  location = "xxx"
}


resource "azurerm_resource_group" "example-new" {
  name     = "xxx-new"
  location = "xxx"
}


resource "azurerm_virtual_network" "example" {
  name                = "nic-tag-network-1"
  address_space       = ["0.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}


resource "azurerm_subnet" "example" {
  name                 = "internal-1"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["0.0.0.0/24"]
}


resource "azurerm_network_interface" "example" {
  name                = "example-nic-1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tags = {
    Name        = "example-network-interface"
  }
  ip_configuration {
    name                          = "internal"
    subnet_id                     = azurerm_subnet.example.id
    private_ip_address_allocation = "Dynamic"
  }
}


resource "azurerm_storage_account" "example-new" {
  name                     = "examplenicnew"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}


resource "azurerm_private_endpoint" "example" {
  name                = "example-endpoint"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = azurerm_subnet.example.id


  private_service_connection {
    name                           = "example-privateserviceconnection"
    private_connection_resource_id = azurerm_storage_account.example-new.id
    subresource_names              = ["blob"]
    is_manual_connection           = false
  }


  private_dns_zone_group {
    name                 = "example-dns-zone-group"
   # private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
    private_dns_zone_ids = [azurerm_private_dns_zone.example-newrg.id]
  }
}


resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.example.name
}


resource "azurerm_private_dns_zone" "example-newrg" {
  name                = "privatelink.blob.core.windows.net"
  resource_group_name = azurerm_resource_group.example-new.name
}

Solution:

To attach the DNS zone with same name, you need to follow these steps:

1. Remove the previous id from list of private_dns_zone_ids and apply the run.
2. Now add the one in list of private_dns_zone_idswhich belongs to another resource group.
3. Apply the plan. This way it will not recreate endpoint.

Changes at configuration level would be this:

1. /*private_dns_zone_group {
name = "example-dns-zone-group"
# private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
private_dns_zone_ids = [azurerm_private_dns_zone.example-newrg.id]
}*/
Comment the above part and trigger the run.
2. Change the private dns zone and trigger the run.
private_dns_zone_group {
name = "example-dns-zone-group"
private_dns_zone_ids = [azurerm_private_dns_zone.example.id]
# private_dns_zone_ids = [azurerm_private_dns_zone.example-newrg.id]
}

Outcome: You would be able to attach DNS config at a time with the same name to the private endpoint cluster.

Additional Information:

If you're still experiencing issues, please contact HCP Terraform Support by submitting a ticket through our support portal

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTYDYO","label":"IBM Terraform"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

39774486796179

Was this topic helpful?

Document Information

Modified date:
16 March 2026

UID

ibm17263951

Tips