Azure Management Private DNS Client Library

Common errors

• ModuleNotFoundError: No module named 'azure.mgmt.privatedns'

  cause The `azure-mgmt-privatedns` library is not installed in the current Python environment.
  fix Install the package using pip: `pip install azure-mgmt-privatedns`

• DefaultAzureCredential authentication failed

  cause The `DefaultAzureCredential` was unable to find valid credentials in the environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID), Azure CLI, Azure PowerShell, or managed identity.
  fix Ensure the necessary environment variables for service principal authentication are set, or that you are logged in via Azure CLI (`az login`), or using managed identity in a supported Azure environment. For service principal: ```bash export AZURE_CLIENT_ID="<your-client-id>" export AZURE_TENANT_ID="<your-tenant-id>" export AZURE_CLIENT_SECRET="<your-client-secret>" export AZURE_SUBSCRIPTION_ID="<your-subscription-id>" ```

• (AuthorizationFailed) The client '...' does not have authorization to perform action 'Microsoft.Network/privateDnsZones/a/read' over scope '...'

  cause The Azure identity (user, service principal, or managed identity) used to authenticate lacks the necessary Role-Based Access Control (RBAC) permissions to perform the requested operation on the specified Private DNS Zone resource.
  fix Grant the authenticated identity the appropriate RBAC role (e.g., 'Private DNS Zone Contributor' or a custom role with specific `Microsoft.Network/privateDnsZones/...` permissions) at the correct scope (subscription, resource group, or specific resource).

• (PreconditionFailed) The Zone <zone-name> exists already and hence cannot be created again.

  cause An attempt was made to create a Private DNS Zone when a zone with the specified name already exists in the resource group, typically when the `if_none_match='*'` parameter is implicitly or explicitly used in the client call, preventing updates.
  fix Before attempting to create a zone, check if it already exists. If it exists and you intend to update it, ensure your client call allows for updates (e.g., by not setting `if_none_match='*'`). If you want to create it only if it doesn't exist, handle the `HttpResponseError` exception for `PreconditionFailed` status.

Warnings

• breaking The credential system was completely revamped. Old `azure.common.credentials` or `msrestazure.azure_active_directory` instances are no longer supported.
  Fix: Migrate authentication to use classes from the `azure-identity` library, such as `DefaultAzureCredential`.
• breaking Long-Running Operations (LRO) pollers and exception handling changed. Operations returning `msrest.polling.LROPoller` now return `azure.core.polling.LROPoller` and are prefixed with `begin_`. Most exceptions are now `azure.core.exceptions.HttpResponseError` instead of `CloudError`.
  Fix: Update LRO calls to use the `begin_` prefix and `azure.core.polling.LROPoller`. Refactor exception handling to catch `azure.core.exceptions.HttpResponseError`.
• gotcha Deleting a Private DNS zone also deletes all DNS records within it, and this operation cannot be undone. Furthermore, a Private DNS zone cannot be deleted unless all virtual network links to it are first removed.
  Fix: Before deleting a Private DNS zone, ensure all associated virtual network links are removed, and be aware of the irreversible deletion of all records.
• gotcha The `PrivateDnsManagementClient` constructor accepts an `api_version` parameter. While it has a default, explicitly overriding it with an unsupported or outdated value can lead to unexpected API behavior or errors.
  Fix: Only override the `api_version` if you explicitly need to target a specific, compatible API version. Generally, rely on the SDK's default for the latest supported behavior.

Install

• pip install azure-mgmt-privatedns azure-identity Install with pip

Imports

• PrivateDnsManagementClient

  from azure.mgmt.privatedns import PrivateDnsManagementClient

• DefaultAzureCredential
  wrong:

  from azure.common.credentials import ServicePrincipalCredentials

  correct:

  from azure.identity import DefaultAzureCredential

  Old credential classes are deprecated and no longer supported; use azure-identity.

Quickstart

This quickstart demonstrates how to authenticate with Azure using `DefaultAzureCredential` and then list all Private DNS zones available in your subscription using `PrivateDnsManagementClient`. Ensure your `AZURE_SUBSCRIPTION_ID` environment variable is set for this example to run correctly, along with other necessary Azure Identity environment variables for authentication.

import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.privatedns import PrivateDnsManagementClient

# Set your Azure Subscription ID as an environment variable or replace with your ID
# os.environ["AZURE_SUBSCRIPTION_ID"] = "<your-subscription-id>"

# Authenticate using DefaultAzureCredential. It will try various methods like environment variables,
# managed identity, Azure CLI, etc. For development, ensure AZURE_CLIENT_ID, AZURE_TENANT_ID,
# and AZURE_CLIENT_SECRET (or AZURE_CLI_AUTH_TOKEN for CLI login) are set.
credential = DefaultAzureCredential()
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID", "")

if not subscription_id:
    raise ValueError("AZURE_SUBSCRIPTION_ID environment variable not set.")

client = PrivateDnsManagementClient(credential=credential, subscription_id=subscription_id)

# Example: List all private DNS zones in the subscription
print("Listing Private DNS Zones:")
for zone in client.private_zones.list():
    print(f"  - Zone Name: {zone.name}, Resource Group: {zone.id.split('/')[4]}")

# In a real application, ensure proper error handling and resource management (e.g., closing the client if needed).
# client.close() # if using an older client or specific scenarios, typically not needed for management clients.