Azure AI Foundry Agent Service - Data Proxy cannot resolve private Container Apps DNS for private MCP servers in BYO VNet setup

Question

Azure AI Foundry Agent Service - Data Proxy cannot resolve private Container Apps DNS for private MCP servers in BYO VNet setup

Hasindu Rathnayake 0

─────────────────────────────────────────

ENVIRONMENT

─────────────────────────────────────────

Azure AI Foundry Agent Service: Standard Agent Setup with BYO VNet
Setup template: 19-hybrid-private-resources-agent-setup (Bicep)
MCP server host: Azure Container Apps (internal-only ingress, dedicated mcp-subnet)
Region: Australia East
SDK: azure-ai-projects 2.0.0b4 (Python)
Capability host provisioning state: Succeeded
customerSubnet: configured on account-level capability host

─────────────────────────────────────────

WHAT I AM TRYING TO DO

─────────────────────────────────────────

Deploy a private MCP server inside a VNet and connect it as a tool to a Foundry agent using the Standard Agent Setup with BYO VNet (template 19-hybrid-private-resources-agent-setup), as documented here:

https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/agents/how-to/tools/model-context-protocol

The documentation states that private MCP is supported with Standard Agent Setup:

"Private endpoints: Connect to MCP servers that aren't exposed to the public internet. Private MCP requires Standard Agent Setup with private networking and a dedicated MCP subnet within your virtual network."

And the tool support table confirms:

"MCP Tool (Private MCP) | ✅ Supported | Through your VNet subnet"

─────────────────────────────────────────

INFRASTRUCTURE SETUP

─────────────────────────────────────────

VNet: 10.0.0.0/16 with four subnets:

agent-subnet (10.0.0.0/24) — delegated to Microsoft.App/environments, used for Foundry agent runtime injection
pe-subnet (10.0.1.0/24) — private endpoints for Foundry, CosmosDB, Storage, AI Search & VM
mcp-subnet (10.0.2.0/24) — delegated to Microsoft.App/environments, hosts the private MCP server ACA environment

MCP server deployment:

Azure Container Apps environment on mcp-subnet with --internal-only true
Container app deployed with --ingress internal, --target-port 8080

Private DNS configuration:

Private DNS zone created for default domain of ACA MCP server
DNS zone linked to VNet
Wildcard A record: * → Static IP address of MCP server

Foundry capability host (account-level):

capabilityHostKind: Agents
customerSubnet: .../subnets/agent-subnet
provisioningState: Succeeded

─────────────────────────────────────────

VALIDATION FROM WITHIN THE VNET

─────────────────────────────────────────

From a Windows jump box VM deployed in pe-subnet, the private MCP server is fully reachable and working:

DNS resolution: Resolve-DnsName <MCP_SERVER_URL> → Resolves to <MCP_SERVER_STATIC_IP> ✅
TCP connectivity: Test-NetConnection ... -Port 443 → TcpTestSucceeded: True ✅
MCP initialize request: Invoke-WebRequest (POST /noauth/mcp with initialize payload) → HTTP 200 OK → Returns valid mcp-session-id header → Full MCP handshake successful ✅

This confirms the private MCP server, DNS configuration, and network routing are all correctly configured within the VNet.

─────────────────────────────────────────

THE PROBLEM

─────────────────────────────────────────

When a Foundry agent attempts to enumerate tools from the private MCP server, the following error is returned:

HTTP 400

{

"error": {

"message": "Error encountered while enumerating tools from remote server <MCP_SERVER_URL>:443/noauth/mcp. Details: Name or service not known (<MCP_SERVER_URL>:443)",

"type": "invalid_request_error",

"code": "tool_user_error"

}

The error is "Name or service not known" — a DNS resolution failure. The agent can be created successfully with the MCPTool configuration, but tool enumeration fails immediately when the agent is invoked.

─────────────────────────────────────────

WHAT WAS TRIED

─────────────────────────────────────────

Both --ingress internal (FQDN with .internal. prefix) and --ingress external (FQDN without .internal. prefix) on the internal ACA environment — same error.
Microsoft's own pre-built multi-auth MCP test image (retrievaltestacr.azurecr.io/multi-auth-mcp/api-multi-auth-mcp-env:latest) deployed as the MCP server instead of our custom server — same DNS error. This rules out MCP server implementation as the cause.
Set VNet DNS server explicitly to Azure DNS IP (168.63.129.16) — no change.
Tested via both the Foundry portal and the Python SDK — same failure from both paths.
The same MCP server URL works perfectly when the ACA environment is public (non-internal), confirming the issue is specific to private/internal ACA DNS resolution.

─────────────────────────────────────────

ROOT CAUSE HYPOTHESIS

─────────────────────────────────────────

The Foundry Agent Service appears to use an internal component (referred to as the "Data Proxy" in the platform) to route MCP tool calls. This component appears to resolve DNS from Microsoft's managed infrastructure rather than from within the customer's injected VNet subnet. As a result it cannot resolve private Container Apps FQDNs that are only visible via the customer's private DNS zones linked to the VNet.

This hypothesis is supported by Microsoft's own test script in the 19-hybrid-private-resources-agent-setup template (tests/test_mcp_tools_agents_v2.py), which explicitly handles this as a known failure:

   elif "424" in error_str or "Failed Dependency" in error_str:
      print("  ⚠ Known Issue: DNS Resolution")

      print("  Data Proxy cannot resolve private Container Apps DNS.")
```And in the template's test results table:

  "Private MCP via Data Proxy | DNS resolution issues for Container Apps | 

   Use public MCP server"

**─────────────────────────────────────────**

QUESTIONS

─────────────────────────────────────────

1. Is this a known platform bug that is being actively worked on? If so, is there an estimated timeline for a fix?

1. Is there a specific DNS zone format or FQDN format required for the Data Proxy to resolve private Container Apps endpoints — for example, a different zone name or a custom domain on the Container App?

1. Is the Data Proxy expected to perform DNS resolution through the customer's injected agent subnet, or does it always resolve from Microsoft's infrastructure? If the latter, is there a mechanism to configure the Data Proxy's DNS resolver to use the customer's VNet DNS?

1. Is there a validated workaround for private MCP server connectivity that does not require exposing the MCP server publicly — for example, using Azure API Management as a public proxy in front of the private MCP server?

**─────────────────────────────────────────**

REFERENCES

─────────────────────────────────────────

- MCP tool documentation:

  [https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/agents/how-to/tools/model-context-protocol](https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/agents/how-to/tools/model-context-protocol)
  
- Private networking for Foundry Agent Service:

  [https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/agents/how-to/virtual-networks](https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/agents/how-to/virtual-networks)
  
- Agent tools with network isolation:

  [https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/how-to/configure-private-link#tool-support-and-traffic-flow](https://dori-uw-1.kuma-moon.com/en-us/azure/foundry/how-to/configure-private-link#tool-support-and-traffic-flow)
  
- 19-hybrid-private-resources-agent-setup template:

  [https://github.com/microsoft-foundry/foundry-samples/tree/main/infrastructure/infrastructure-setup-bicep/19-hybrid-private-resources-agent-setup](https://github.com/microsoft-foundry/foundry-samples/tree/main/infrastructure/infrastructure-setup-bicep/19-hybrid-private-resources-agent-setup)
  
- Testing guide (contains known issue acknowledgement):

  [https://github.com/microsoft-foundry/foundry-samples/blob/main/infrastructure/infrastructure-setup-bicep/19-hybrid-private-resources-agent-setup/tests/TESTING-GUIDE.md](https://github.com/microsoft-foundry/foundry-samples/blob/main/infrastructure/infrastructure-setup-bicep/19-hybrid-private-resources-agent-setup/tests/TESTING-GUIDE.md)

SRILAKSHMI C 16,705 Reputation points Microsoft External Staff Moderator

2026-04-09T13:57:06.2066667+00:00
Hello Hasindu Rathnayake,

Thanks again for the detailed investigation,

After reviewing your setup and findings, this behavior is not due to a misconfiguration, but rather a known platform limitation in the current Azure AI Foundry Agent Service implementation.

What’s happening

The Foundry Agent Service uses an internal component to communicate with MCP tools.

At present:

The Data Proxy performs DNS resolution from Microsoft-managed infrastructure

It does not use the DNS context of your injected VNet/subnet

As a result Private DNS zones linked to your VNet are not visible, Internal-only FQDNs such as Azure Container Apps with internal ingress cannot be resolved

This directly explains the error you’re seeing “Name or service not known”

And aligns with:

Your successful validation from within the VNet

The fact that the same MCP server works when exposed publicly

The known issue documented in the 19-hybrid-private-resources-agent-setup sample tests

Current limitation

Private MCP endpoints hosted on internal-only Azure Container Apps are not fully supported today

This is due to Data Proxy DNS resolution limitations, not your configuration

Even though documentation mentions private MCP support, this specific scenario (ACA internal + private DNS) is currently not fully functional

DNS configuration will not resolve this

To clarify:

There is no special DNS zone or FQDN format that will make this work

Custom/private DNS zones are not used by the Data Proxy

The proxy only resolves publicly reachable hostnames

Workarounds

At the moment, the supported options are:

Public MCP endpoint

Expose the MCP server via a public endpoint and secure it using:

Authentication (tokens/headers)

IP restrictions

This is the only fully supported configuration today

Public proxy in front of private MCP

You can keep your backend private by introducing a public entry point:

Azure API Management

Azure Front Door

Azure Application Gateway

Benefits:

Data Proxy can resolve the public hostname

Your MCP server remains private within the VNet

You can enforce security controls at the proxy layer

Fully private ACA endpoint

Not supported today due to DNS resolution limitation

No workaround using only private DNS/VNet configuration

Roadmap or ETA

This is a known limitation

The product team is aware, and it is on the backlog

There is currently no published ETA for full private DNS support via the Data Proxy

Please refer this

Model-Context Protocol (MCP) tool docs https://dori-uw-1.kuma-moon.com/azure/foundry/agents/how-to/tools/model-context-protocol

Private networking for Foundry Agent Service https://dori-uw-1.kuma-moon.com/azure/foundry/agents/how-to/virtual-networks

Hybrid/private resources sample (includes the test that prints “Known Issue: DNS Resolution”) https://github.com/microsoft-foundry/foundry-samples/tree/main/infrastructure/infrastructure-setup-bicep/19-hybrid-private-resources-agent-setup

I Hope this helps. Do let me know if you have any further queries.

Thank you!

1 answer

Your answer

Answer 1

Status of the issue The behavior described matches a known limitation: private MCP connectivity is only validated and supported when:

Using Standard Agent Setup with private networking (BYO VNet), and
Hosting the private MCP server on Azure Container Apps on a dedicated MCP subnet, and
DNS for that private endpoint is resolvable from the agent’s private network.

However, the provided context explicitly calls out that DNS resolution problems can occur for private MCP servers and that this is a known issue in some configurations. The 19-hybrid-private-resources-agent-setup sample and its tests acknowledge DNS-related failures for private MCP via the Data Proxy, and the testing guide notes DNS resolution issues for Container Apps.

The context does not provide an official statement about an active fix or timeline. No SLA or ETA is documented in the referenced materials.

Required DNS/FQDN format The documentation for private MCP in Agent Service states:

Private MCP requires Standard Agent Setup with private networking and a dedicated MCP subnet.
Private DNS must be configured so that the MCP FQDN resolves to a private IP from within the VNet.

For DNS:

A private DNS zone must exist for the MCP server’s FQDN and be linked to the VNet.
From a machine connected to the VNet, nslookup <resource-fqdn> must resolve to a private IP.

The context does not specify any special or alternate DNS zone naming pattern or FQDN format that the Data Proxy requires beyond standard private DNS configuration. It only requires that private DNS resolution works from within the VNet and that conditional forwarders (if using custom DNS) forward to Azure DNS at 168.63.129.16.

Where DNS resolution is expected to happen For private MCP:

The documented, supported pattern is: Standard Agent Setup with private networking (BYO VNet) and a dedicated MCP subnet delegated to Microsoft.App/environments.
The troubleshooting guidance for “Private MCP server is unreachable from agent” states that the MCP server must be on the MCP subnet with the correct delegation and that private DNS resolution must succeed.

This implies the platform expects MCP traffic (including DNS resolution) to flow through the customer’s VNet, using:

The MCP subnet (for the Container Apps environment), and
The agent subnet (for the Agent Service runtime injection), and
The VNet’s DNS configuration (Azure DNS or custom DNS that forwards to Azure DNS).

The context does not describe a configurable DNS resolver for the Data Proxy, nor does it document any mechanism to override or customize how the Data Proxy performs DNS resolution. No setting is documented to point the Data Proxy explicitly at a different DNS server.

Validated workarounds for private MCP The documentation provides the following validated patterns and guidance:

Private MCP hosting pattern:
- Host the MCP server on Azure Container Apps with internal-only ingress on a dedicated MCP subnet delegated to Microsoft.App/environments.
- Use the 19-hybrid-private-resources-agent-setup template for a known-good baseline.
If the private MCP server is unreachable from the agent:
- Verify the MCP server is deployed on the MCP subnet with Microsoft.App/environments delegation.
- Check private DNS zone configuration and linkage to the VNet.
- Ensure DNS resolution of the MCP FQDN returns a private IP from within the VNet.
If Foundry resources themselves are behind Private Link and the hosted Foundry MCP Server cannot reach them:
- Either disable Private Link, use SDKs/REST APIs directly, or use a custom MCP server with private networking through Foundry Agent Service.

The context does not document Azure API Management or any other public proxy as an officially validated workaround for private MCP DNS issues. It also does not document an alternative pattern specifically to work around Data Proxy DNS limitations beyond the standard private MCP guidance above.

Given the provided information, the only documented, supported workaround is to:

Ensure the MCP server is on the dedicated MCP subnet with correct delegation, and
Ensure private DNS is correctly configured and resolvable from the VNet, and
Use Standard Agent Setup with private networking.

No additional, officially validated workaround that avoids public exposure (such as a documented APIM pattern) is described in the context.

References:

Share via

Azure AI Foundry Agent Service - Data Proxy cannot resolve private Container Apps DNS for private MCP servers in BYO VNet setup

1 answer

Your answer