Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Network Isolation with Virtual Network Links

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your private Azure DNS zones are configured with virtual network (VNet) links to enable name resolution for resources within a specific virtual network. Without these links, virtual machines and other services inside the VNet can't resolve names in your private DNS zone.

Security

Virtual network links connect Azure private DNS zones to virtual networks, allowing VMs to resolve DNS queries. Manually linking these networks instead of using auto-registration is crucial for security and control. It lets you specify exactly which virtual networks can resolve private DNS zones, preventing unauthorized access and misconfigurations. This practice is essential for maintaining network isolation, stopping potential security breaches, and ensuring an auditable record of network connections.

Audit

To determine if your private DNS zones are configured with controlled virtual network (VNet) links, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to examine from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Private DNS zone for Value, then choose Apply to list the private DNS zones available in the selected subscription.

05 Click on the name (link) of the private DNS zone that you want to examine.

06 In the resource navigation panel, under DNS Management, select Virtual Network Links to list the virtual networks (VNets) linked to the selected Azure DNS zone. If no VNet links are listed on the Virtual Network Links page, network isolation with virtual network (VNet) links is not enabled for the selected private DNS zone, therefore, the Audit process ends here. If one or more VNet links are listed on this page, you can continue the Audit process with the next step.

07 The auto-registration feature for private DNS zones poses a security risk because it can lead to unauthorized DNS record creation, which in turn facilitates data exfiltration and Man-in-the-Middle (MITM) attacks. On the Virtual Network Links page, choose the virtual network (VNet) link that you want to examine and check the auto-registration status listed in the Auto-Registration column. If Auto-Registration is set to enabled, the auto-registration feature is not disabled for the selected virtual network link, therefore, the VNet configuration for your private DNS zone is not compliant

08 Repeat steps no. 5 - 7 for each private Azure DNS zone deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network private-dns zone list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each private DNS zone available in the selected Azure subscription: 

az network private-dns zone list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested DNS zone identifiers: 

Name                      ResourceGroup
----------------------    ------------------------------
trendmicro.com            cloud-shell-storage-westeurope
client.trendmicro.com     cloud-shell-storage-westeurope

06 Run network private-dns link vnet list command (Windows/macOS/Linux) to list the ID of each virtual network (VNet) link configured for the selected private DNS zone: 

az network private-dns link vnet list
	--zone-name trendmicro.com
	--resource-group cloud-shell-storage-westeurope
	--query '[*].id'

07 The command output should return the requested VNet link ID(s), as shown in the example below. If the network private-dns link vnet list command output returns an empty array, i.e., [], network isolation with virtual network (VNet) links is not enabled for the selected private DNS zone, therefore, the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateDnsZones/trendmicro.com/virtualNetworkLinks/cc-project5-vnet-link"
]

08 Run network private-dns link vnet show command (Windows/macOS/Linux) to describe the auto-registration feature status for the selected virtual network (VNet) link. Auto-registration for private DNS zones poses a security risk because it can lead to unauthorized DNS record creation, which in turn facilitates data exfiltration and Man-in-the-Middle (MITM) attacks: 

az network private-dns link vnet show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateDnsZones/trendmicro.com/virtualNetworkLinks/cc-project5-vnet-link"
	--query 'registrationEnabled'

09 The command output should return the requested feature status: 

[]

If the network private-dns link vnet show command output returns true, as shown in the example above, the auto-registration feature is not disabled for the selected virtual network link, therefore, the VNet configuration for your private DNS zone is not compliant.

10 Repeat steps no. 6 - 9 for each private Azure DNS zone available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your private DNS zones are configured with controlled virtual network (VNet) links, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to examine from the Subscription equalls all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Private DNS zone for Value, then choose Apply to list the private DNS zones available in the selected subscription.

05 Click on the name (link) of the private DNS zone that you want to configure.

06 In the resource navigation panel, under DNS Management, select Virtual Network Links to list the virtual networks (VNets) linked to the selected Azure DNS zone.

07 If the selected DNS zone has virtual network (VNet) links, choose the non-compliant VNet link that you want to update, click on the Edit button (i.e., pencil icon), uncheck the Enable auto registration setting checkbox under Configuration, and choose Save to apply the changes. This will disable the auto-registration feature for the selected VNet link.

08 If the selected DNS zone has no virtual network (VNet) links, choose Add from the page top menu, and perform the following actions to add a new VNet link to your DNS zone:

  1. Enter a unique name for your new VNet link in the Link name box.
  2. Ensure that the correct Azure subscription is selected for Subscription.
  3. For Virtual Network, choose the name of the virtual network (VNet) that you want to link to your private DNS zone.
  4. Uncheck the Enable auto registration setting checkbox available under Configuration to disable the auto-registration feature for the new VNet link.
  5. Choose Create to deploy your new, compliant virtual network (VNet) link.

09 Repeat steps no. 5 - 8 for each private DNS zone that you want to configure, available in the selected Azure subscription.

10 Repeat steps no. 3 - 9 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 If your private DNS zone has non-compliant virtual network (VNet) links, run network private-dns link vnet update command (Windows/macOS/Linux) to update your non-compliant VNet link in order to disable the auto-registration feature: 

az network private-dns link vnet update
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateDnsZones/trendmicro.com/virtualNetworkLinks/cc-project5-vnet-link"
	--registration-enabled false

05 The command output should return the information available for the configured VNet link: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateDnsZones/trendmicro.com/virtualNetworkLinks/cc-project5-vnet-link",
	"location": "global",
	"name": "cc-project5-vnet-link",
	"provisioningState": "Succeeded",
	"registrationEnabled": false,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
	"virtualNetwork": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"virtualNetworkLinkState": "Completed"
}

06 If your private DNS zone has no virtual network (VNet) links, run network private-dns link vnet create command (Windows/macOS/Linux) to create a new, compliant virtual network (VNet) link for your private DNS zone: 

az network private-dns link vnet create
	--name cc-private-dns-vnet-link
	--resource-group cloud-shell-storage-westeurope
	--zone-name trendmicro.com
	--virtual-network cc-project5-vnet
	--registration-enabled false

07 The command output should return the information available for the new VNet link: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/privateDnsZones/trendmicro.com/virtualNetworkLinks/cc-private-dns-vnet-link",
	"location": "global",
	"name": "cc-private-dns-vnet-link",
	"provisioningState": "Succeeded",
	"registrationEnabled": false,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
	"virtualNetwork": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet",
		"resourceGroup": "cloud-shell-storage-westeurope"
	},
	"virtualNetworkLinkState": "Completed"
}

08 Repeat steps no. 4 - 7 for each private DNS zone that you want to configure, available in the selected Azure subscription.

09 Repeat steps no. 3 - 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 18, 2025

Related DNS rules