I have set up private endpoint for various Azure resources (SQL Server, Web Apps etc.) and set up conditional forwarding to the Azure wire server within our DNS configuration.

A ping resolves to the private IP of the server (i.e. that of the private endpoint) when testing from Azure VM's within the VNET, but when testing from local machines, it seems to flip flop between returning the private IP and returning the public azure endpoint, meaning I can sometimes connect through to these resources from my machine (when the private IP is being returned) and sometimes not (when the public IP is being returned).

We have our local machines pointing at Cisco Umbrella for their DNS resolution already, and have therefore opted to have the relevant azure endpoints forward onto our VM-based DNS servers using Umbrella's in-built DNS forwarding capabilities.

If I test through this method I can replicate the issue, if I override this method using my hosts file (pointing the relevant URL's directly at their private endpoint IP address), it works consistently, suggesting the issue is with Cisco Umbrella, and it is not consistently handling the requests.

Any ideas on how to resolve this?