Error: Private DNS Zone Private Link Not Provisioned in Region

Issue

The following error message appears:

Private DNS Zone privatelink./subscriptions/{identifier}/resourceGroups/azusetstarg01/providers/Microsoft.Sql/managedInstances/host_name.database.windows.net is not provisioned in the AZURE_EASTUS region.

Environment

All database connectors
Connection method: Private networking

Understanding the issue

Private DNS zone enables Private Link name resolution to a private IP for Azure SQL Managed Instance.
privatelink.database.windows.net is the required zone for SQL MI Private Link.
Not provisioned in AZURE_EASTUS means the East US VNet isn’t correctly linked to that zone, or the A record for the Managed Instance isn’t present.

Resolution

Missing or incorrect private DNS zone:
- Check if the privatelink.database.windows.net private DNS zone exists. Go to Private DNS zones in the Azure portal and search for this specific zone name within the subscription.
- If it doesn't exist, create the private DNS zone. Ensure the name is exactly privatelink.database.windows.net. You can place the resource group for the zone in any region, but it's often placed in a central networking resource group.
Missing or incorrect virtual network link:
- A private DNS zone needs to be linked to the virtual network(s) where your clients (VMs, other Azure services) or your SQL Managed Instance's private endpoint reside, so they can resolve the private IP.
- Steps to verify and create the link:
  1. Go to the privatelink.database.windows.net private DNS zone in the Azure portal.
  2. In the left-hand menu, select Virtual network links under Settings.
  3. Check if the virtual network(s) in the AZURE_EASTUS region that are supposed to connect to host_name.database.windows.net are listed and enabled.
  4. If not, click Add and create a new virtual network link.
  5. Type a descriptive name for the virtual network link.
  6. Select the appropriate subscription.
  7. Choose the virtual network in the AZURE_EASTUS region that is connected to your SQL Managed Instance's private endpoint (or where clients are located).
  8. Ensure Enable auto registration is checked.
    For SQL Managed Instances, the private endpoint usually handles the A record registration.
Check the private endpoint's DNS configuration. Ensure the A record for your SQL managed instance exists in the privatelink.database.windows.net zone.
- When you create a private endpoint for your SQL Managed Instance, it typically offers to integrate with a private DNS zone. If this step was missed or failed, the A record pointing your SQL Managed Instance's FQDN to its private IP might not be in the privatelink.database.windows.net zone. Review Azure activity logs for any errors related to the creation or modification of the private DNS zone, virtual network links, or private endpoints.
- Check the private endpoint:
  1. Go to your Azure SQL Managed Instance (host_name).
  2. Under Security, select Private endpoint connections.
  3. Select the private endpoint connected to your instance.
  4. On the private endpoint's overview page, look for DNS configuration. It should show the privatelink.database.windows.net zone and the corresponding A record. If there's an issue here, you might need to recreate the private endpoint or manually add the A record to the private DNS zone.
    For Azure SQL Managed Instance private endpoints, the FQDN is typically host_name.privatelink.database.windows.net, which then resolves to the private IP address. Ensure your connection strings use the original FQDN (host_name).
Custom DNS servers or hybrid DNS:
- If you're using custom DNS servers within your virtual network (instead of Azure's default DNS) or have a hybrid setup with on-premises DNS servers, these DNS servers must be configured to correctly forward or resolve queries for privatelink.database.windows.net.
- This often involves setting up a conditional forwarder on your custom DNS servers (or Azure DNS Private Resolver) to forward queries for privatelink.database.windows.net to Azure's default DNS (168.63.129.16).