Azure Application Gateways do not resolve Private Endpoints of Keyvault via custom DNS servers

Sergio Padure 11 Reputation points
2022-08-31T12:21:13.55+00:00

Hi,

We've hit the same issue that @Cat Mucius faced in this thread: https://learn.microsoft.com/en-us/answers/questions/714888/azure-application-gateways-do-not-resolve-private.html but for key vault.

Specifically the Application Gateway doesn't resolve the Private Endpoint of the Key Vault using the custom DNS configured for the VNET but uses the Azure DNS, which causes it to attempt to connect towards the public endpoint and failing to do so since it's blocked.

The error ERR_SSL_UNRECOGNIZED_NAME_ALERT points to this document, which does not cover this specific issue because Application Gateway Health remains green: https://learn.microsoft.com/en-us/azure/application-gateway/disabled-listeners

After internal analysis we opened a ticket with Microsoft and the amazing support agent identified the issue and provided us the solution in the form of attaching the Private DNS zone to the VNET in which the Application Gateway is deployed, but that's a workaround.

As the previous issue concerning the Storage Accounts has been provided a permanent fix by @Jack Stromberg I'm opening a new thread asking whether there is a permanent fix planned for the Key vault as well.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,327 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,088 questions
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Jack Stromberg 21 Reputation points Microsoft Employee
    2022-08-31T14:54:04.017+00:00

    If Key Vault is being used as a backend target (part of your backend pool), specify the <yourvault>.privatelink.vaultcore.azure.net address as the fqdn for the backend target. Within your corresponding backend HTTP Setting, configure Override with new host name with the value of yes and check Override with specific domain name for Host name override. For the hostname to override, use the FQDN provided by keyvault (i.e. <yourvault>.vault.azure.net).

    If Key Vault is being referenced via private endpoint for a listener, you must associate the private dns zone to the virtual network. I will work on clarifying these items via our docs.

    Hope this helps!
    Jack

    1 person found this answer helpful.

  2. Benjamin LALANDE 5 Reputation points
    2024-01-17T08:46:16.25+00:00

    Hi,

    I have exactly the same problem as Sergio Padure.

    The 2 solutions are :

    • In keyvault firewall, you use service endpoint with appgw subnet
    • You attach private zone to vnet spoke where appgw exist...

    I don't try to create a listener to redirect to the keyvault as mentionned Jack but if you are severals keyvault, you dont create X listener.

    is there a permanent fix planned for the Key vault ?

    Thank you

    1 person found this answer helpful.

  3. Kupferschmid Christian 0 Reputation points
    2023-09-21T12:21:02.4066667+00:00

    We are currently in contact with Microsoft support as we have exactly the same issue. Application gateway is resolving public addresses for privatized services. In our case the services are primarily WebApps.

    I have just double checked, the agw is in the same vnet as all the privatelink dns zones as well as our dns forwarders/server. The ip addresses of those dns servers are configured on all the vnets as custom dns servers.

    The faulty resolution comes and goes as for now and interrupts access to web sites at least once a for approx 30min.

    If there is anyone with an idea, I would really be interested.

    g,

    chris

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.