Network & Private DNS
Private by default.Loom backing services run with public network access disabled. The console reaches them over private endpoints + private DNS linked to the hub VNet. To reach them directly (Synapse Studio, SSMS, Storage Explorer,
az/REST) from your workstation, your VPN-connected machine must resolve each service FQDN to its private endpoint IP. Use the hosts override for a quick local fix, or wire the enterprise DNS below for everyone.Enterprise / corporate DNS configuration
The durable fix: make your corporate DNS resolve every Azure private-link domain to the private IPs. Pick one of the patterns below. Both let any VPN-connected user reach the services by their normal public FQDN, with traffic staying on the private endpoints.1. Deploy an Azure DNS Private Resolver with an inbound endpoint in the hub VNet (the VNet the private DNS zones are linked to). Note its inbound IP.
2. Ensure every privatelink zone below is linked to that VNet (Loom’s bicep already links them to the hub).
3. On your corporate DNS servers (or Azure Firewall / forwarder), add a conditional forwarder for each public parent domain → the resolver inbound IP. Queries for
4. Route the resolver inbound IP over the VPN/ExpressRoute so on-prem clients can reach it.Conditional-forwarder domains
2. Ensure every privatelink zone below is linked to that VNet (Loom’s bicep already links them to the hub).
3. On your corporate DNS servers (or Azure Firewall / forwarder), add a conditional forwarder for each public parent domain → the resolver inbound IP. Queries for
*.privatelink.* then resolve to the private IPs automatically.4. Route the resolver inbound IP over the VPN/ExpressRoute so on-prem clients can reach it.Conditional-forwarder domains
(load the inventory to populate)
Synapse workspace — public access disabled
The Synapse workspace runs publicNetworkAccess: Disabled, with private endpoints for its Dev (*.dev.azuresynapse.net — Studio + artifact REST), SQL (dedicated pools) and SqlOnDemand (serverless) sub-resources, all registered in the privatelink.dev.azuresynapse.net / privatelink.sql.azuresynapse.net zones linked to the hub VNet.To reach Synapse Studio from your workstation, add the azuresynapse entries from the hosts block above (or configure the conditional forwarders) while on the VPN, then browse to web.azuresynapse.net. SQL tools (SSMS / sqlcmd) connect to the *.sql.azuresynapse.net endpoint the same way.