link to Kudo/scm not placed to scm.privatelink.azurewebsites.net DNS zone

[RostKost]

Describe the bug

DNS records for the Private endpoint are automatically generated but one of them is placed in the wrong private DNS zone.
Both DNS records of type A are located in the private DNS zone 'privatelink.azurewebsites.net'

The Private endpoint for Azure Web App is linked to two FQDN that point to aliases:

[appname].privatelink.azurewebsites.net         --->[appname].azurewebsites.net
[appname].scm.privatelink.azurewebsites.net     --->[appname].scm.azurewebsites.net

Based on private-endpoint-dns documentation private DNS zone are created in line with recommended naming
privatelink.azurewebsites.net
scm.privatelink.azurewebsites.net

DNS zone configuration can be added for the Private endpoint through the portal or az command
az network private-endpoint dns-zone-group add

The result DNS zone configuration for the Private endpoint is here:

{
  "etag": "W/\"88888888-8888-8888-8888-888888888888\"",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/app-resource-group/providers/Microsoft.Network/privateEndpoints/test-service-private-endpoint/privateDnsZoneGroups/default",
  "name": "default",
  "privateDnsZoneConfigs": [
    {
      "name": "scm_privatelink_azurewebsites_net",
      "privateDnsZoneId": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/hub-network-rg/providers/Microsoft.Network/privateDnsZones/scm.privatelink.azurewebsites.net",
      "recordSets": []
    },
    {
      "name": "privatelink_azurewebsites_net",
      "privateDnsZoneId": "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/hub-network-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net",
      "recordSets": [
        {
          "fqdn": "test-service.privatelink.azurewebsites.net",
          "ipAddresses": [
            "10.12.128.37"
          ],
          "provisioningState": "Succeeded",
          "recordSetName": "test-service",
          "recordType": "A",
          "ttl": 10
        },
        {
          "fqdn": "test-service.scm.privatelink.azurewebsites.net",
          "ipAddresses": [
            "10.12.128.37"
          ],
          "provisioningState": "Succeeded",
          "recordSetName": "test-service.scm",
          "recordType": "A",
          "ttl": 10
        }
      ]
    }
  ],
  "provisioningState": "Succeeded",
  "resourceGroup": "app-resource-group"
}

Command Name
nslookup appname.scm.privatelink.azurewebsites.net

Errors:

Server:  UnKnown
Address:  168.63.129.16

*** UnKnown can't find appname.scm.privatelink.azurewebsites.net: Non-existent domain

To Reproduce:

Steps to reproduce the behavior.

• create Web App with the Private endpoint
• create private DNS zones privatelink.azurewebsites.net
• create private DNS zones scm.privatelink.azurewebsites.net
• add the private DNS zone "scm_privatelink_azurewebsites_net" configuration for the Private endpoint
  az network private-endpoint dns-zone-group add --endpoint-name {} -n {} --resource-group {} --zone-name "scm_privatelink_azurewebsites_net" --private-dns-zone {}
• add the private DNS zone "privatelink_azurewebsites_net" configuration for the Private endpoint
  az network private-endpoint dns-zone-group add --endpoint-name {} -n {} --resource-group {} --zone-name "privatelink_azurewebsites_net" --private-dns-zone {}
• run nslookup appname.scm.privatelink.azurewebsites.net command from a host in the same vNet

Expected Behavior

"test-service.scm.privatelink.azurewebsites.net" record will be added to "scm.privatelink.azurewebsites.net" zone, not to "privatelink.azurewebsites.net
and nslookup will resolve the name appname.scm.privatelink.azurewebsites.net to the IP address

Environment Summary

Windows-10-10.0.19045-SP0
Python 3.10.8
Installer: 

azure-cli 2.45.0 *

Extensions:
account 0.2.5

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Additional Context

[azure-client-tools-bot-prd]

Hi @RostKost,

2.45.0 is not the latest Azure CLI(2.46.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

@necusjz for awareness

[akhilthomas011]

Same issue for me. I'm not able to reach scm through private endpoint. Any updates on this? @yonzhan

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @aznetsuppgithub.

[Schillman]

I'm hitting this issue as well, all though I'm using azure policy DINE to deploy this, do we have any updates?

                "resources": [
                  {
                    "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]",
                    "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups",
                    "apiVersion": "2020-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                      "privateDnsZoneConfigs": [
                        {
                          "name": "sites-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneIdSites')]"
                          }
                        },
                        {
                          "name": "sitesScm-privateDnsZone",
                          "properties": {
                            "privateDnsZoneId": "[parameters('privateDnsZoneIdSitesScm')]"
                          }
                        }
                      ]
                    }
                  }
                ]