Share via

Unable to add Virtual Network to Azure Private DNS Zone Using terraform

Satish B 170 Reputation points
2026-04-18T15:02:57.57+00:00

Hi Team,

In my organization Hub & Spoke model we are using. we have 1 Hub & 2 spoke model.

I have created Key vault Private Dns Zone(privatelink.vaultcore.azure.net) in Hub Subscription & also created Key vault Private Dns Zone(privatelink.vaultcore.azure.net) in 2-Spoke subscriptions. While adding Hub Vnet to 2 spoke subscriptions of Private Dns zones.one Spoke Private DNS zone successfully added to Hub Vnet & other spoke Private DNS zone tried attach to Hub Vnet giving below error by using terraform. Please suggest how to fix this issue /Any limitations are there ?

Error: creating/updating Virtual Network Link (Subscription: "*"**

Resource Group Name: "RG3"

Private Dns Zone Name: "privatelink.vaultcore.azure.net"

Virtual Network Link Name: "Hub-vnet-link1-pelm1"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:

Status: "BadRequest"

Code: ""

Message: "A virtual network cannot be linked to multiple zones with overlapping namespaces. You tried to link virtual network with 'privatelink.vaultcore.azure.net' and 'privatelink.vaultcore.azure.net' zones."

Activity Id: ""

API Response:

----[start]----

{"error":{"code":"BadRequest","message":"A virtual network cannot be linked to multiple zones with overlapping namespaces. You tried to link virtual network with 'privatelink.vaultcore.azure.net' and 'privatelink.vaultcore.azure.net' zones."},"status":"Failed"}

-----[end]-----

with azurerm_private_dns_zone_virtual_network_link.kv1_link[0],

on main.tf line 825, in resource "azurerm_private_dns_zone_virtual_network_link" "kv1_link":

825: resource "azurerm_private_dns_zone_virtual_network_link" "kv1_link" {

Azure Private Link
Azure Private Link

An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.

0 comments
Answer accepted by question author
  1. Praveen Bandaru 11,465 Reputation points Microsoft External Staff Moderator
    2026-04-25T02:33:05.0766667+00:00

    Hello Satish B

    We have reviewed the issue with the Terraform deployment, where the creation of the Private DNS Virtual Network link failed due to an error indicating that the virtual network is already linked to multiple zones with overlapping namespaces (specifically privatelink.vaultcore.azure.net).

    • This occurs because of a platform limitation in Azure Private DNS: a single Virtual Network cannot be linked to more than one Private DNS zone if those zones share the same namespace.
    • In your current setup, separate Private DNS zones with the same name (privatelink.vaultcore.azure.net) were created in both the Hub and Spoke subscriptions, and the Hub VNet was linked to multiple zones with the same namespace. Azure recognizes these as overlapping and blocks the configuration.
    • To resolve this, we recommend adopting a centralized Private DNS zone design. Create a single shared Private DNS zone (privatelink.vaultcore.azure.net) in one subscription, preferably the Hub, and link it to all required VNets, including the Hub and Spokes.
    • This follows Azure best practices for Hub-and-Spoke architecture and ensures consistent name resolution for Private Endpoints.
    • Additionally, manage all DNS records within the Hub private DNS zone. Once all configurations are moved to the Hub DNS zone and everything is functioning as expected, you can remove the Private DNS zone from the Spoke subscription If needed you can use.Check the below document for more understanding:

    Azure Private Endpoint private DNS zone values

    https://learn.microsoft.com/en-us/azure/architecture/networking/guide/private-link-hub-spoke-network

    Azure Private Endpoint private DNS zone values

    I hope the above answer helps you! Please let us know if you have any further questions.

    Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

    0 comments
Answer accepted by question author
  1. Venkatesan S 7,635 Reputation points Microsoft External Staff Moderator
    2026-04-20T02:21:56.3866667+00:00

    Hi Satish B,

    Thanks for reaching out in Microsoft Q&A forum,

    Your error happens because the same Hub VNet is being linked to multiple Private DNS zones with the same name (privatelink.vaultcore.azure.net) in different subscriptions. Azure does not allow a VNet to link to more than one zone with the same DNS namespace, even if they’re in different subscriptions.

    Cause:

    You created privatelink.vaultcore.azure.net in:

    • Hub subscription
    • Spoke 1 subscription
    • Spoke 2 subscription
    • Then you tried to link the same Hub VNet to more than one of these identical zones.
    • Azure blocks this with the error:

      “A virtual network cannot be linked to multiple zones with overlapping namespaces.”

    Steps to fix:

    Use one centralized Private DNS zone in the Hub and link all VNets (Hub + both spokes) to it:

    1. Delete duplicate zones in the spoke subscriptions:
      • In Spoke 1 and Spoke 2, delete privatelink.vaultcore.azure.net.
      • Keep only one privatelink.vaultcore.azure.net in the Hub subscription.
    2. In the Hub Private DNS zone:
      • Go to Private DNS zones > privatelink.vaultcore.azure.net > Virtual network links.
      • Add a link for the Hub VNet.
      • Add a link for Spoke 1 VNet (choose Spoke 1 subscription in the dropdown).
      • Add a link for Spoke 2 VNet (choose Spoke 2 subscription in the dropdown).
      A single zone can be linked to many VNets across subscriptions.
    3. If you have Key Vault private endpoints:
      • Update their Private DNS zone groups to use the Hub DNS zone only:
      • /subscriptions/<hub-subscription-id>/resourceGroups/<hub-rg>/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net

    Limitation:

    • One Private DNS zone (privatelink.vaultcore.azure.net) > linked to many VNets (Hub + spokes).
    • One VNet > cannot be linked to multiple zones with the same namespace.

    Official Microsoft documentation

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 42,201 Reputation points MVP Volunteer Moderator
    2026-04-18T16:15:11.05+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    This is not a Terraform issue. It is an Azure platform limitation.

    You are trying to link the same Hub VNet to multiple Private DNS zones with the same name (privatelink.vaultcore.azure.net) across subscriptions. Azure does not allow a VNet to be linked to more than one Private DNS zone with overlapping namespaces, even if they exist in different subscriptions.

    Azure Private DNS design enforces:

    • **A VNet can be linked to **only one zone per namespace
    • **privatelink.vaultcore.azure.net is a **global, well-known private endpoint zone
    • Your Hub VNet is already linked to one such zone → second link is rejected

    The correct pattern In a Hub-Spoke architecture should be:

    • Create only one Private DNS zone in the Hub (centralised model)
    • Link:
      • Hub VNet -> that zone
      • All Spoke VNets -> same zone (via cross-subscription linking)
    • Do not create duplicate zones in spokes

    Fix that you can try:

    Delete duplicate zones in spoke subscriptions **Keep a **single zone in Hub Link all VNets (Hub + Spokes) to that one zone

    • If you really need isolation:
      • Use separate VNets, not the same Hub VNet
      • Or use different DNS namespaces (not possible for Key Vault private endpoint zones)

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments
  2. Q&A Assist
    2026-04-18T15:03:14.53+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error occurs because a single virtual network can’t be linked to multiple Azure Private DNS zones that have the same (or overlapping) DNS namespace. In this case, the hub virtual network is already linked to a privatelink.vaultcore.azure.net zone, and Terraform is trying to link it again to another privatelink.vaultcore.azure.net zone that exists in a different subscription.

    Key points from the platform behavior:

    • Only one link between a given private DNS zone and a virtual network is allowed.
    • A virtual network cannot be linked to multiple zones with overlapping namespaces (for example, two separate privatelink.vaultcore.azure.net zones, even if they are in different subscriptions).
    • The recommended pattern in hub-and-spoke is to use a single private DNS zone for a given namespace and link all VNets (hub and spokes) that need name resolution to that same zone.

    To fix the issue in this scenario:

    1. Choose a single authoritative privatelink.vaultcore.azure.net private DNS zone (for example, the one in the hub subscription).
    2. Delete the duplicate privatelink.vaultcore.azure.net zones from the spoke subscriptions.
    3. From that single remaining zone, create virtual network links to:
      • The hub VNet.
      • Each spoke VNet that needs to resolve Key Vault private endpoints.
    4. Update Terraform so that it manages only this one private DNS zone and its azurerm_private_dns_zone_virtual_network_link resources for all VNets.

    If a hub-and-spoke design with Private Endpoints is used, this aligns with guidance that a single private DNS zone should be shared and linked to all relevant VNets.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.