A critical architectural flaw in Microsoft Azure’s Private Endpoint implementation that enables denial-of-service (DoS) attacks against production Azure resources.
The vulnerability affects over 5% of Azure storage accounts, exposing organizations to service disruptions across Key Vault, CosmosDB, Azure Container Registry, Function Apps, and OpenAI accounts.
How the Vulnerability Works
Palo Alto Networks uncovers that the flaw stems from how Azure Private Link handles DNS resolution when Private Endpoints are deployed across virtual networks.
When a Private Endpoint is created for a storage account in VNET2, Azure automatically generates a Private DNS zone with a virtual network link.
If this DNS zone is linked to VNET1, Azure’s DNS resolution logic forces all storage name resolution in VNET1 to use the Private DNS zone.
However, if no DNS “A” record exists for the storage account within VNET1’s context, DNS resolution fails.
This creates a denial-of-service condition where virtual machines in VNET1 can no longer resolve the storage account hostname, even though the public endpoint remains accessible and unchanged.
The outage occurs solely due to DNS resolution issues caused by the Private Link configuration, without any modification to the target resource itself.
Three Attack Scenarios
The vulnerability manifests in three scenarios. First, accidental internal misconfiguration occurs when network administrators deploy Private Endpoints to enhance security but inadvertently create DNS resolution conflicts.
Second, third-party security vendors may deploy Private Endpoints as part of scanning solutions, unintentionally disrupting connectivity.
Third, malicious threat actors with access to the Azure environment deliberately deploy Private Endpoints as a DoS attack vector.
The impact extends beyond immediate connectivity loss. Denying service to storage accounts could cause Azure Functions and subsequent application updates to fail.
DoS attacks against Key Vaults could disrupt all processes dependent on vault secrets, potentially halting critical business operations across organizations.
Palo Alto Networks reported the issue to Microsoft, which acknowledges this as a known limitation and provides two partial mitigations.
The first enables a “fallback to internet” option when creating virtual network links, allowing DNS resolution to fall back to the public internet when no matching record exists.
However, this contradicts Private Link’s core security principle of traversing Azure’s backbone network rather than the public internet.
The second mitigation requires manually adding DNS records for affected resources in Private DNS zones. This creates significant operational overhead for large production environments and doesn’t scale effectively.
Defenders can identify vulnerable resources using Azure Resource Graph Explorer queries to scan for virtual networks linked to Private DNS zones.
Storage accounts allowing public endpoint access without Private Endpoint connections. Organizations should combine these queries with comprehensive network scanning to map affected configurations.
Organizations must fully understand Private Link’s binary nature and implement proper DNS management to prevent connectivity loss and potential DoS attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
