A list of all Azure PaaS services that utilise Private Link, and a categorisation of how they behave in respect to Multi-Region failover and DNS integration. Click the links to official MS Docs, as well as Video links to more detailed tutorials.
The main article is here, please consider this an addendum of links to further Azure service-specific guides.
This page is a living document, and I will add more services as I find time to assess them, thanks!
Azure PaaS that can utilise a single Global Azure DNS Private Zone and failover without user-intervention of DNS records
| Service | Microsoft Docs | Video | Notes |
|---|---|---|---|
| Azure SQL | https://youtu.be/weZ-SPO-tIc | Uses Failover Groups and additional FQDN CNAME | |
| Azure SQL Managed Instance | Link | [1] Requires Layer-3 IP connectivity between SQL MI subnets for data replication (Unlike Azure SQL which replicates out of band [2] Value prop of Private Endpoint for SQL MI is unclear, why is a PE needed for a service that is already VNet-injected? |
|
| Azure Service Bus | Link | https://youtu.be/qukADwfihZY | Namespace pairing requires Premium SKU |
| Azure Event Hub | Link | https://youtu.be/qukADwfihZY | Namespace paring requires Standard SKU or above |
Azure PaaS services that do require user-intevention of DNS records upon failover (or use of regional specific Azure DNS Private Zones)
| Service | Microsoft Docs | Video | Notes |
|---|---|---|---|
| Azure Storage | https://youtu.be/bmFMNQkBf2A | ||
| Azure Site Recovery | https://youtu.be/_S5dA36SgsI | Largely built on Azure Storage, same pattern for Recovery Services vault and Storage account cache | |
| Azure Key Vault | Link | https://youtu.be/vlGK27D3bPg | Not possible to simulate regional failover |
| Azure Cosmos DB | See comments here | https://youtu.be/_WrJT7pLRv4 | Clients can use regional FQDN, but this happens after endpoint discovery via the Global FQDN |
| Azure Static Web Apps | Link | N/a to staging environment, front-end only | |
| Azure Container Registry | 1 - Geo replication doc 2 - PL for ACR |
[1] - requires premium SKU for geo-replication [2] - Specifically calls out in docs that single global Azure DNS Private Zone will be problematic. [3] - Use of Private Link for geo-dispersed replicas of ACR remove your ability to leverage Traffic Manager to route user/client to nearest endpoint, therefore this is now the function of the customer's internal DNS infrastructure |
|
| Power BI | Link | Private Link CNAME happens before regional re-direction, so user DNS intervention required if the region within which your primary PE are located goes down. E.g. here |
Azure PaaS services that do not have service-level regional failover (I.e. you must handle this as the application level)
| Service | Microsoft Docs | Video | Notes |
|---|---|---|---|
| Azure Database for Postgres (Single Server) | Link | https://youtu.be/Tzr2QRYSyRQ | [1] Only applies to Single Server, Flexible Server uses VNet injection instead. [2] Uses concept of read replicas for regional DR. See options for regional replication here. Requires General Purpose tier or above for multi-region replication. [3] User is responsible for regional failover, you must repoint your API or connection string at the replica FQDN. |
| Azure Database for MariaDB | Same approach as Postgres Single Server, user has to repoint to replica in region-down event - Link | ||
| Azure Database for MySQL (Single Server) | [1] Only applies to Single Server, Flexible Server uses VNet injection instead. [2] MySQL Single Server is being retired in 2024 - link |
||
| Azure Automation | 1 - Link for DR docs 2 - Link for PL doc |
User is required to self-replicate contents of automation account and associate dependencies and manually re-deploy agents etc to use the region-B automation assets in a region down scenario | |
| Azure Batch | 1 - Private Link for Batch 2 - DR for Batch 3 - Account migration for Batch |
Azure Batch has not concept of regional failover, it is all user driven, and independant accounts are always used in each region, each with their own FQDN. | |
| Azure Cognitive Services (Includes Search and OpenAI) | 1 - PL for Search 2 - HA and BCDR for Search |
Azure Cognitive Search doesn't provide an automated method of replicating search indexes across geographic regions. I.e. this is another example wherein the user has to build the abstraction on top of multiple search replicas, the linked documentaiton gives some examples including indexing and Traffic Manager. | |
| Azure Monitor | Regional failover is n/a - each region has its own components, e.g. Regional Log Analytics Workspaces | ||
| Azure Kubernetes Service (AKS) | Regional failover is n/a - each region has its node:master relationship that uses regional FQDN, this is not common across regions |